Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
26/03/2025, 22:43
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
JaffaCakes118_895a38bc3fc7a0b21cadbf5b306faff7.exe
Resource
win7-20240903-en
windows7-x64
24 signatures
150 seconds
Behavioral task
behavioral2
Sample
JaffaCakes118_895a38bc3fc7a0b21cadbf5b306faff7.exe
Resource
win10v2004-20250314-en
windows10-2004-x64
24 signatures
150 seconds
General
-
Target
JaffaCakes118_895a38bc3fc7a0b21cadbf5b306faff7.exe
-
Size
512KB
-
MD5
895a38bc3fc7a0b21cadbf5b306faff7
-
SHA1
30c3c92c4e9fbd61db6dcff4ad1a42a6d5312e09
-
SHA256
7a093c88448db7ce4e48155a1a14a15ee3f9f850ddd5853c2597869bcdd004ee
-
SHA512
01bbcd194671e08cbeab90592756cf8c7f8f03248cf99d195986d45006dfc7b2d1e31808887dfcafa9261b1e92b4bf5ecf0afcda3fd279ab8e2173c3e1834d4e
-
SSDEEP
6144:bXj6/wndfF/gl0LQIk8DR3dEuAI7pEfxsZozAm9TMdGQLUg1nYmefPImdrionXz:bT6onxOp8FySpE5zvIdtU+YmefH
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" dbomx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" dbomx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" whljbuilgrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" whljbuilgrv.exe -
Pykspa family
-
UAC bypass 3 TTPs 13 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" whljbuilgrv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" whljbuilgrv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dbomx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dbomx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dbomx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" dbomx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" dbomx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dbomx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" whljbuilgrv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" whljbuilgrv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dbomx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dbomx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" whljbuilgrv.exe -
Detect Pykspa worm 2 IoCs
resource yara_rule behavioral2/files/0x004500000002386d-4.dat family_pykspa behavioral2/files/0x000200000001e9ce-61.dat family_pykspa -
Adds policy Run key to start application 2 TTPs 28 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szvcwlzgbpdklg = "bnoaztmyyrkwccdzkmy.exe" dbomx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szvcwlzgbpdklg = "obdqqlfstnhubcebnqdf.exe" dbomx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szvcwlzgbpdklg = "qbbmkdvgfxpafeezjk.exe" dbomx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vzswnzkogrc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bnoaztmyyrkwccdzkmy.exe" dbomx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vzswnzkogrc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qbbmkdvgfxpafeezjk.exe" dbomx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szvcwlzgbpdklg = "obdqqlfstnhubcebnqdf.exe" dbomx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szvcwlzgbpdklg = "qbbmkdvgfxpafeezjk.exe" whljbuilgrv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run dbomx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vzswnzkogrc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\obdqqlfstnhubcebnqdf.exe" dbomx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vzswnzkogrc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bnoaztmyyrkwccdzkmy.exe" dbomx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vzswnzkogrc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hrqaxpgqofwgkihbk.exe" dbomx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vzswnzkogrc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qbbmkdvgfxpafeezjk.exe" whljbuilgrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szvcwlzgbpdklg = "bnoaztmyyrkwccdzkmy.exe" dbomx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run dbomx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szvcwlzgbpdklg = "hrqaxpgqofwgkihbk.exe" dbomx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vzswnzkogrc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hrqaxpgqofwgkihbk.exe" dbomx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vzswnzkogrc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\obdqqlfstnhubcebnqdf.exe" dbomx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szvcwlzgbpdklg = "ajhqmdtczpforomf.exe" dbomx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vzswnzkogrc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qbbmkdvgfxpafeezjk.exe" dbomx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szvcwlzgbpdklg = "druijfaoqlgucehfswknb.exe" dbomx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vzswnzkogrc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\druijfaoqlgucehfswknb.exe" dbomx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szvcwlzgbpdklg = "qbbmkdvgfxpafeezjk.exe" dbomx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vzswnzkogrc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ajhqmdtczpforomf.exe" dbomx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szvcwlzgbpdklg = "ajhqmdtczpforomf.exe" dbomx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run whljbuilgrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\szvcwlzgbpdklg = "bnoaztmyyrkwccdzkmy.exe" whljbuilgrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vzswnzkogrc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ajhqmdtczpforomf.exe" whljbuilgrv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run whljbuilgrv.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" dbomx.exe Set value (int) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" whljbuilgrv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" whljbuilgrv.exe Set value (int) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" dbomx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" dbomx.exe Set value (int) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" dbomx.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation JaffaCakes118_895a38bc3fc7a0b21cadbf5b306faff7.exe Key value queried \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation whljbuilgrv.exe -
Executes dropped EXE 4 IoCs
pid Process 1828 whljbuilgrv.exe 1732 dbomx.exe 3644 dbomx.exe 1524 whljbuilgrv.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager dbomx.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys dbomx.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc dbomx.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power dbomx.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys dbomx.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc dbomx.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sxrwobnslxjo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hrqaxpgqofwgkihbk.exe" whljbuilgrv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vdaidtiqmbqyawt = "hrqaxpgqofwgkihbk.exe" dbomx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rxsyrfsysfsyy = "qbbmkdvgfxpafeezjk.exe ." dbomx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qbbmkdvgfxpafeezjk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hrqaxpgqofwgkihbk.exe" dbomx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rxsyrfsysfsyy = "ajhqmdtczpforomf.exe ." dbomx.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rxsyrfsysfsyy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\obdqqlfstnhubcebnqdf.exe ." dbomx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qbbmkdvgfxpafeezjk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\obdqqlfstnhubcebnqdf.exe" dbomx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sxrwobnslxjo = "qbbmkdvgfxpafeezjk.exe" dbomx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qbbmkdvgfxpafeezjk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bnoaztmyyrkwccdzkmy.exe" dbomx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sxrwobnslxjo = "obdqqlfstnhubcebnqdf.exe" dbomx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rxsyrfsysfsyy = "obdqqlfstnhubcebnqdf.exe ." dbomx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qbbmkdvgfxpafeezjk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bnoaztmyyrkwccdzkmy.exe" dbomx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hrqaxpgqofwgkihbk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\obdqqlfstnhubcebnqdf.exe ." dbomx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sxrwobnslxjo = "ajhqmdtczpforomf.exe" dbomx.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ajhqmdtczpforomf = "druijfaoqlgucehfswknb.exe ." dbomx.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rxsyrfsysfsyy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qbbmkdvgfxpafeezjk.exe ." whljbuilgrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hrqaxpgqofwgkihbk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qbbmkdvgfxpafeezjk.exe ." dbomx.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vdaidtiqmbqyawt = "qbbmkdvgfxpafeezjk.exe" dbomx.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vdaidtiqmbqyawt = "obdqqlfstnhubcebnqdf.exe" dbomx.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ajhqmdtczpforomf = "qbbmkdvgfxpafeezjk.exe ." dbomx.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sxrwobnslxjo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qbbmkdvgfxpafeezjk.exe" dbomx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rxsyrfsysfsyy = "qbbmkdvgfxpafeezjk.exe ." dbomx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rxsyrfsysfsyy = "bnoaztmyyrkwccdzkmy.exe ." whljbuilgrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qbbmkdvgfxpafeezjk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\druijfaoqlgucehfswknb.exe" whljbuilgrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sxrwobnslxjo = "obdqqlfstnhubcebnqdf.exe" dbomx.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rxsyrfsysfsyy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bnoaztmyyrkwccdzkmy.exe ." dbomx.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rxsyrfsysfsyy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\obdqqlfstnhubcebnqdf.exe ." dbomx.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sxrwobnslxjo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bnoaztmyyrkwccdzkmy.exe" dbomx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hrqaxpgqofwgkihbk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ajhqmdtczpforomf.exe ." dbomx.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vdaidtiqmbqyawt = "bnoaztmyyrkwccdzkmy.exe" dbomx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sxrwobnslxjo = "bnoaztmyyrkwccdzkmy.exe" dbomx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qbbmkdvgfxpafeezjk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ajhqmdtczpforomf.exe" dbomx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qbbmkdvgfxpafeezjk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ajhqmdtczpforomf.exe" dbomx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hrqaxpgqofwgkihbk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ajhqmdtczpforomf.exe ." dbomx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sxrwobnslxjo = "druijfaoqlgucehfswknb.exe" dbomx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sxrwobnslxjo = "bnoaztmyyrkwccdzkmy.exe" dbomx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sxrwobnslxjo = "qbbmkdvgfxpafeezjk.exe" whljbuilgrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hrqaxpgqofwgkihbk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qbbmkdvgfxpafeezjk.exe ." whljbuilgrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rxsyrfsysfsyy = "ajhqmdtczpforomf.exe ." dbomx.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ajhqmdtczpforomf = "hrqaxpgqofwgkihbk.exe ." dbomx.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sxrwobnslxjo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ajhqmdtczpforomf.exe" dbomx.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ajhqmdtczpforomf = "druijfaoqlgucehfswknb.exe ." dbomx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qbbmkdvgfxpafeezjk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qbbmkdvgfxpafeezjk.exe" dbomx.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ajhqmdtczpforomf = "hrqaxpgqofwgkihbk.exe ." dbomx.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sxrwobnslxjo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\hrqaxpgqofwgkihbk.exe" dbomx.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sxrwobnslxjo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ajhqmdtczpforomf.exe" dbomx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sxrwobnslxjo = "qbbmkdvgfxpafeezjk.exe" dbomx.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sxrwobnslxjo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bnoaztmyyrkwccdzkmy.exe" dbomx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\sxrwobnslxjo = "hrqaxpgqofwgkihbk.exe" dbomx.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rxsyrfsysfsyy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\druijfaoqlgucehfswknb.exe ." dbomx.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sxrwobnslxjo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\obdqqlfstnhubcebnqdf.exe" whljbuilgrv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vdaidtiqmbqyawt = "ajhqmdtczpforomf.exe" dbomx.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vdaidtiqmbqyawt = "qbbmkdvgfxpafeezjk.exe" dbomx.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rxsyrfsysfsyy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\bnoaztmyyrkwccdzkmy.exe ." dbomx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rxsyrfsysfsyy = "bnoaztmyyrkwccdzkmy.exe ." dbomx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rxsyrfsysfsyy = "druijfaoqlgucehfswknb.exe ." dbomx.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\vdaidtiqmbqyawt = "druijfaoqlgucehfswknb.exe" whljbuilgrv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sxrwobnslxjo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\obdqqlfstnhubcebnqdf.exe" dbomx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\hrqaxpgqofwgkihbk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\obdqqlfstnhubcebnqdf.exe ." dbomx.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\ajhqmdtczpforomf = "ajhqmdtczpforomf.exe ." dbomx.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sxrwobnslxjo = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qbbmkdvgfxpafeezjk.exe" dbomx.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\rxsyrfsysfsyy = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ajhqmdtczpforomf.exe ." dbomx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qbbmkdvgfxpafeezjk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\qbbmkdvgfxpafeezjk.exe" dbomx.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qbbmkdvgfxpafeezjk = "C:\\Users\\Admin\\AppData\\Local\\Temp\\druijfaoqlgucehfswknb.exe" dbomx.exe -
Checks whether UAC is enabled 1 TTPs 8 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" whljbuilgrv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA whljbuilgrv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dbomx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" whljbuilgrv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA whljbuilgrv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dbomx.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA dbomx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dbomx.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" whljbuilgrv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" dbomx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" dbomx.exe -
Looks up external IP address via web service 8 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 28 whatismyip.everdot.org 32 www.whatismyip.ca 35 www.showmyipaddress.com 43 whatismyip.everdot.org 47 www.whatismyip.ca 48 whatismyip.everdot.org 51 whatismyipaddress.com 58 www.whatismyip.ca -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification F:\autorun.inf dbomx.exe File created F:\autorun.inf dbomx.exe File opened for modification C:\autorun.inf dbomx.exe File created C:\autorun.inf dbomx.exe -
Drops file in System32 directory 32 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\hrqaxpgqofwgkihbk.exe dbomx.exe File opened for modification C:\Windows\SysWOW64\obdqqlfstnhubcebnqdf.exe dbomx.exe File created C:\Windows\SysWOW64\szvcwlzgbpdklgctzwdzgapdkfthopkgxdah.ket dbomx.exe File opened for modification C:\Windows\SysWOW64\obdqqlfstnhubcebnqdf.exe dbomx.exe File opened for modification C:\Windows\SysWOW64\hrqaxpgqofwgkihbk.exe whljbuilgrv.exe File opened for modification C:\Windows\SysWOW64\druijfaoqlgucehfswknb.exe whljbuilgrv.exe File opened for modification C:\Windows\SysWOW64\ujncebxmplhwfimlzetxmo.exe whljbuilgrv.exe File opened for modification C:\Windows\SysWOW64\ajhqmdtczpforomf.exe dbomx.exe File created C:\Windows\SysWOW64\njuqzdgcmpsoeozfamitpycfb.orn dbomx.exe File opened for modification C:\Windows\SysWOW64\obdqqlfstnhubcebnqdf.exe whljbuilgrv.exe File opened for modification C:\Windows\SysWOW64\ujncebxmplhwfimlzetxmo.exe dbomx.exe File opened for modification C:\Windows\SysWOW64\qbbmkdvgfxpafeezjk.exe dbomx.exe File opened for modification C:\Windows\SysWOW64\njuqzdgcmpsoeozfamitpycfb.orn dbomx.exe File opened for modification C:\Windows\SysWOW64\hrqaxpgqofwgkihbk.exe whljbuilgrv.exe File opened for modification C:\Windows\SysWOW64\qbbmkdvgfxpafeezjk.exe whljbuilgrv.exe File opened for modification C:\Windows\SysWOW64\obdqqlfstnhubcebnqdf.exe whljbuilgrv.exe File opened for modification C:\Windows\SysWOW64\hrqaxpgqofwgkihbk.exe dbomx.exe File opened for modification C:\Windows\SysWOW64\ajhqmdtczpforomf.exe whljbuilgrv.exe File opened for modification C:\Windows\SysWOW64\druijfaoqlgucehfswknb.exe dbomx.exe File opened for modification C:\Windows\SysWOW64\bnoaztmyyrkwccdzkmy.exe dbomx.exe File opened for modification C:\Windows\SysWOW64\druijfaoqlgucehfswknb.exe dbomx.exe File opened for modification C:\Windows\SysWOW64\ajhqmdtczpforomf.exe whljbuilgrv.exe File opened for modification C:\Windows\SysWOW64\bnoaztmyyrkwccdzkmy.exe whljbuilgrv.exe File opened for modification C:\Windows\SysWOW64\qbbmkdvgfxpafeezjk.exe dbomx.exe File opened for modification C:\Windows\SysWOW64\ajhqmdtczpforomf.exe dbomx.exe File opened for modification C:\Windows\SysWOW64\ujncebxmplhwfimlzetxmo.exe dbomx.exe File opened for modification C:\Windows\SysWOW64\szvcwlzgbpdklgctzwdzgapdkfthopkgxdah.ket dbomx.exe File opened for modification C:\Windows\SysWOW64\ujncebxmplhwfimlzetxmo.exe whljbuilgrv.exe File opened for modification C:\Windows\SysWOW64\bnoaztmyyrkwccdzkmy.exe dbomx.exe File opened for modification C:\Windows\SysWOW64\qbbmkdvgfxpafeezjk.exe whljbuilgrv.exe File opened for modification C:\Windows\SysWOW64\bnoaztmyyrkwccdzkmy.exe whljbuilgrv.exe File opened for modification C:\Windows\SysWOW64\druijfaoqlgucehfswknb.exe whljbuilgrv.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\szvcwlzgbpdklgctzwdzgapdkfthopkgxdah.ket dbomx.exe File created C:\Program Files (x86)\szvcwlzgbpdklgctzwdzgapdkfthopkgxdah.ket dbomx.exe File opened for modification C:\Program Files (x86)\njuqzdgcmpsoeozfamitpycfb.orn dbomx.exe File created C:\Program Files (x86)\njuqzdgcmpsoeozfamitpycfb.orn dbomx.exe -
Drops file in Windows directory 32 IoCs
description ioc Process File opened for modification C:\Windows\ujncebxmplhwfimlzetxmo.exe dbomx.exe File created C:\Windows\njuqzdgcmpsoeozfamitpycfb.orn dbomx.exe File opened for modification C:\Windows\szvcwlzgbpdklgctzwdzgapdkfthopkgxdah.ket dbomx.exe File opened for modification C:\Windows\bnoaztmyyrkwccdzkmy.exe whljbuilgrv.exe File opened for modification C:\Windows\druijfaoqlgucehfswknb.exe whljbuilgrv.exe File opened for modification C:\Windows\ujncebxmplhwfimlzetxmo.exe whljbuilgrv.exe File opened for modification C:\Windows\hrqaxpgqofwgkihbk.exe dbomx.exe File opened for modification C:\Windows\druijfaoqlgucehfswknb.exe dbomx.exe File opened for modification C:\Windows\obdqqlfstnhubcebnqdf.exe dbomx.exe File opened for modification C:\Windows\druijfaoqlgucehfswknb.exe dbomx.exe File opened for modification C:\Windows\njuqzdgcmpsoeozfamitpycfb.orn dbomx.exe File opened for modification C:\Windows\qbbmkdvgfxpafeezjk.exe whljbuilgrv.exe File opened for modification C:\Windows\bnoaztmyyrkwccdzkmy.exe whljbuilgrv.exe File opened for modification C:\Windows\ujncebxmplhwfimlzetxmo.exe whljbuilgrv.exe File opened for modification C:\Windows\obdqqlfstnhubcebnqdf.exe whljbuilgrv.exe File created C:\Windows\szvcwlzgbpdklgctzwdzgapdkfthopkgxdah.ket dbomx.exe File opened for modification C:\Windows\hrqaxpgqofwgkihbk.exe dbomx.exe File opened for modification C:\Windows\hrqaxpgqofwgkihbk.exe whljbuilgrv.exe File opened for modification C:\Windows\obdqqlfstnhubcebnqdf.exe dbomx.exe File opened for modification C:\Windows\ajhqmdtczpforomf.exe dbomx.exe File opened for modification C:\Windows\ajhqmdtczpforomf.exe whljbuilgrv.exe File opened for modification C:\Windows\bnoaztmyyrkwccdzkmy.exe dbomx.exe File opened for modification C:\Windows\druijfaoqlgucehfswknb.exe whljbuilgrv.exe File opened for modification C:\Windows\qbbmkdvgfxpafeezjk.exe whljbuilgrv.exe File opened for modification C:\Windows\ajhqmdtczpforomf.exe dbomx.exe File opened for modification C:\Windows\qbbmkdvgfxpafeezjk.exe dbomx.exe File opened for modification C:\Windows\hrqaxpgqofwgkihbk.exe whljbuilgrv.exe File opened for modification C:\Windows\obdqqlfstnhubcebnqdf.exe whljbuilgrv.exe File opened for modification C:\Windows\ajhqmdtczpforomf.exe whljbuilgrv.exe File opened for modification C:\Windows\bnoaztmyyrkwccdzkmy.exe dbomx.exe File opened for modification C:\Windows\ujncebxmplhwfimlzetxmo.exe dbomx.exe File opened for modification C:\Windows\qbbmkdvgfxpafeezjk.exe dbomx.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_895a38bc3fc7a0b21cadbf5b306faff7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language whljbuilgrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dbomx.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dbomx.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 4556 JaffaCakes118_895a38bc3fc7a0b21cadbf5b306faff7.exe 4556 JaffaCakes118_895a38bc3fc7a0b21cadbf5b306faff7.exe 4556 JaffaCakes118_895a38bc3fc7a0b21cadbf5b306faff7.exe 4556 JaffaCakes118_895a38bc3fc7a0b21cadbf5b306faff7.exe 4556 JaffaCakes118_895a38bc3fc7a0b21cadbf5b306faff7.exe 4556 JaffaCakes118_895a38bc3fc7a0b21cadbf5b306faff7.exe 4556 JaffaCakes118_895a38bc3fc7a0b21cadbf5b306faff7.exe 4556 JaffaCakes118_895a38bc3fc7a0b21cadbf5b306faff7.exe 4556 JaffaCakes118_895a38bc3fc7a0b21cadbf5b306faff7.exe 4556 JaffaCakes118_895a38bc3fc7a0b21cadbf5b306faff7.exe 4556 JaffaCakes118_895a38bc3fc7a0b21cadbf5b306faff7.exe 4556 JaffaCakes118_895a38bc3fc7a0b21cadbf5b306faff7.exe 4556 JaffaCakes118_895a38bc3fc7a0b21cadbf5b306faff7.exe 4556 JaffaCakes118_895a38bc3fc7a0b21cadbf5b306faff7.exe 3644 dbomx.exe 3644 dbomx.exe 4556 JaffaCakes118_895a38bc3fc7a0b21cadbf5b306faff7.exe 4556 JaffaCakes118_895a38bc3fc7a0b21cadbf5b306faff7.exe 4556 JaffaCakes118_895a38bc3fc7a0b21cadbf5b306faff7.exe 4556 JaffaCakes118_895a38bc3fc7a0b21cadbf5b306faff7.exe 4556 JaffaCakes118_895a38bc3fc7a0b21cadbf5b306faff7.exe 4556 JaffaCakes118_895a38bc3fc7a0b21cadbf5b306faff7.exe 4556 JaffaCakes118_895a38bc3fc7a0b21cadbf5b306faff7.exe 4556 JaffaCakes118_895a38bc3fc7a0b21cadbf5b306faff7.exe 4556 JaffaCakes118_895a38bc3fc7a0b21cadbf5b306faff7.exe 4556 JaffaCakes118_895a38bc3fc7a0b21cadbf5b306faff7.exe 4556 JaffaCakes118_895a38bc3fc7a0b21cadbf5b306faff7.exe 4556 JaffaCakes118_895a38bc3fc7a0b21cadbf5b306faff7.exe 4556 JaffaCakes118_895a38bc3fc7a0b21cadbf5b306faff7.exe 4556 JaffaCakes118_895a38bc3fc7a0b21cadbf5b306faff7.exe 4556 JaffaCakes118_895a38bc3fc7a0b21cadbf5b306faff7.exe 4556 JaffaCakes118_895a38bc3fc7a0b21cadbf5b306faff7.exe 4556 JaffaCakes118_895a38bc3fc7a0b21cadbf5b306faff7.exe 4556 JaffaCakes118_895a38bc3fc7a0b21cadbf5b306faff7.exe 4556 JaffaCakes118_895a38bc3fc7a0b21cadbf5b306faff7.exe 4556 JaffaCakes118_895a38bc3fc7a0b21cadbf5b306faff7.exe 4556 JaffaCakes118_895a38bc3fc7a0b21cadbf5b306faff7.exe 4556 JaffaCakes118_895a38bc3fc7a0b21cadbf5b306faff7.exe 4556 JaffaCakes118_895a38bc3fc7a0b21cadbf5b306faff7.exe 4556 JaffaCakes118_895a38bc3fc7a0b21cadbf5b306faff7.exe 4556 JaffaCakes118_895a38bc3fc7a0b21cadbf5b306faff7.exe 4556 JaffaCakes118_895a38bc3fc7a0b21cadbf5b306faff7.exe 4556 JaffaCakes118_895a38bc3fc7a0b21cadbf5b306faff7.exe 4556 JaffaCakes118_895a38bc3fc7a0b21cadbf5b306faff7.exe 3644 dbomx.exe 3644 dbomx.exe 4556 JaffaCakes118_895a38bc3fc7a0b21cadbf5b306faff7.exe 4556 JaffaCakes118_895a38bc3fc7a0b21cadbf5b306faff7.exe 4556 JaffaCakes118_895a38bc3fc7a0b21cadbf5b306faff7.exe 4556 JaffaCakes118_895a38bc3fc7a0b21cadbf5b306faff7.exe 4556 JaffaCakes118_895a38bc3fc7a0b21cadbf5b306faff7.exe 4556 JaffaCakes118_895a38bc3fc7a0b21cadbf5b306faff7.exe 4556 JaffaCakes118_895a38bc3fc7a0b21cadbf5b306faff7.exe 4556 JaffaCakes118_895a38bc3fc7a0b21cadbf5b306faff7.exe 4556 JaffaCakes118_895a38bc3fc7a0b21cadbf5b306faff7.exe 4556 JaffaCakes118_895a38bc3fc7a0b21cadbf5b306faff7.exe 4556 JaffaCakes118_895a38bc3fc7a0b21cadbf5b306faff7.exe 4556 JaffaCakes118_895a38bc3fc7a0b21cadbf5b306faff7.exe 4556 JaffaCakes118_895a38bc3fc7a0b21cadbf5b306faff7.exe 4556 JaffaCakes118_895a38bc3fc7a0b21cadbf5b306faff7.exe 4556 JaffaCakes118_895a38bc3fc7a0b21cadbf5b306faff7.exe 4556 JaffaCakes118_895a38bc3fc7a0b21cadbf5b306faff7.exe 4556 JaffaCakes118_895a38bc3fc7a0b21cadbf5b306faff7.exe 4556 JaffaCakes118_895a38bc3fc7a0b21cadbf5b306faff7.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 3644 dbomx.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 4556 wrote to memory of 1828 4556 JaffaCakes118_895a38bc3fc7a0b21cadbf5b306faff7.exe 89 PID 4556 wrote to memory of 1828 4556 JaffaCakes118_895a38bc3fc7a0b21cadbf5b306faff7.exe 89 PID 4556 wrote to memory of 1828 4556 JaffaCakes118_895a38bc3fc7a0b21cadbf5b306faff7.exe 89 PID 1828 wrote to memory of 1732 1828 whljbuilgrv.exe 94 PID 1828 wrote to memory of 1732 1828 whljbuilgrv.exe 94 PID 1828 wrote to memory of 1732 1828 whljbuilgrv.exe 94 PID 1828 wrote to memory of 3644 1828 whljbuilgrv.exe 95 PID 1828 wrote to memory of 3644 1828 whljbuilgrv.exe 95 PID 1828 wrote to memory of 3644 1828 whljbuilgrv.exe 95 PID 4556 wrote to memory of 1524 4556 JaffaCakes118_895a38bc3fc7a0b21cadbf5b306faff7.exe 110 PID 4556 wrote to memory of 1524 4556 JaffaCakes118_895a38bc3fc7a0b21cadbf5b306faff7.exe 110 PID 4556 wrote to memory of 1524 4556 JaffaCakes118_895a38bc3fc7a0b21cadbf5b306faff7.exe 110 -
System policy modification 1 TTPs 38 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" dbomx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dbomx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dbomx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" whljbuilgrv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System dbomx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dbomx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" dbomx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" whljbuilgrv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" whljbuilgrv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" dbomx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer dbomx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System whljbuilgrv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" whljbuilgrv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System dbomx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" dbomx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" dbomx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" whljbuilgrv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" dbomx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" dbomx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System whljbuilgrv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" whljbuilgrv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" whljbuilgrv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" whljbuilgrv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer dbomx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" whljbuilgrv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" dbomx.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer whljbuilgrv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" dbomx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" dbomx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" dbomx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" dbomx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" dbomx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" whljbuilgrv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" dbomx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" dbomx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" whljbuilgrv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" dbomx.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" dbomx.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_895a38bc3fc7a0b21cadbf5b306faff7.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_895a38bc3fc7a0b21cadbf5b306faff7.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4556 -
C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe"C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_895a38bc3fc7a0b21cadbf5b306faff7.exe*"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:1828 -
C:\Users\Admin\AppData\Local\Temp\dbomx.exe"C:\Users\Admin\AppData\Local\Temp\dbomx.exe" "-C:\Users\Admin\AppData\Local\Temp\ajhqmdtczpforomf.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- System policy modification
PID:1732
-
-
C:\Users\Admin\AppData\Local\Temp\dbomx.exe"C:\Users\Admin\AppData\Local\Temp\dbomx.exe" "-C:\Users\Admin\AppData\Local\Temp\ajhqmdtczpforomf.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:3644
-
-
-
C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe"C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_895a38bc3fc7a0b21cadbf5b306faff7.exe"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:1524
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
272B
MD5034d27450754e8943e61fa54d7616588
SHA128e31c8ee06697652f009c1fc63e95186cb4778d
SHA256cca6f7eb9763961cc786994b211e6b32093659d8bedde69e6b90dd6ec411248a
SHA51226fa571e85e1d75ad1f96df6011c652f91e08eaabe51ca43649d2f611b05b596a968c014cd90749897c36abd89e2e904e001d3cb5b5e8e499f67e1bf032a55db
-
Filesize
272B
MD574ef8ea01f68016e9b6bbb27dc71ae37
SHA1f6274da39ca0bc030afab55e2e21c1025efc7212
SHA2561b53fb7f9edfb4ea344e34b604c5c1cb435ee7589aee858f5b07ad211f7f49f6
SHA512ddbe94af410115c0b205bb7fb9a2808677a85c1e856f60d8c5b6cea651133aad38a0db0879d69d8123142efe84e0667786b0f4cc2d0cfbaaab37c05424297802
-
Filesize
272B
MD58a08116d7c1ba6f7fe622799e00a3942
SHA1590ed9483c54740b0cc054ca3c29ba17aba3255f
SHA25637efd50765863607eab4d31635c1708a82ff70a293ceef02d744ff58753824f9
SHA512287167a1bb3b19168870227f3f5070169e92869fbfc589af03d7e695176481e58fae2a7b1d062cc0b9c286422d2dba38a49787b65c8d9e17224425e61f782b4d
-
Filesize
272B
MD5fd8ae2ac72e3ae549a1fbc6dd0f2cdf1
SHA141b03f822f208d8e364dbc7e545443caa1fded48
SHA2561cdd22b9d063eb6b96c284d9851d79b5895f35b45a286858a420b3b01b3595ae
SHA512bda90642cbe276f54e679421adc70158535fc2da85e229a377fdca9f41a9a1df1849f37ef11c7bf647613e96cd0ac0000211f3d9a41a6bc3edd3ccff9700d56e
-
Filesize
272B
MD5b5caea20d5324ad16da706967586c68c
SHA13d01ed5702a411983f1d341098ec514e7459e8c2
SHA256939a128862f21ff830b71aa94cd7ffecde7b2b1f67a6b841ba1970dc01b8ee72
SHA51211674298e52d4fa6121e2df4bc60301faa7ce8ce4ad406e17db85ce5d5ec01093036d3df06b6813489b40373a2a5d392dd3c8bc528ac7d8df0e553df77a835c4
-
Filesize
720KB
MD5192215c06f79c5986bd293807cb3f9b4
SHA17981c4f05052761c7f32b919d939f7d3992203c8
SHA25630d32da06b27b48c646495155bcae71f3cc01464598d60b92fa4f7143eb6271d
SHA512b73e979f49800bdead805209178dc64e7d1ca9e1a9b40915c3c81811e6a4c7e775083cf71f4125ea46ff07f052e04ec801013ddcb7884519534c11be4867b5f3
-
Filesize
320KB
MD55203b6ea0901877fbf2d8d6f6d8d338e
SHA1c803e92561921b38abe13239c1fd85605b570936
SHA2560cc02d34d5fd4cf892fed282f98c1ad3e7dd6159a8877ae5c46d3f834ed36060
SHA512d48a41b4fc4c38a6473f789c02918fb7353a4b4199768a3624f3b685d91d38519887a1ccd3616e0d2b079a346afaec5a0f2ef2c46d72d3097ef561cedb476471
-
Filesize
272B
MD517dfb8dfe0e332f6ad75e843496583b7
SHA103adc9cc31a679f42617ce1fb6c81e9a252e7259
SHA2569b60661604b94ca399c5630f5de3aabde342bad878b2b06996ed752f20426f72
SHA5128341d4dcf1bcd2ddf6a0522bff9ef7aa03b13c3335b9afed2cf045268e00528adf6b9a7b8b4602273d37157238acb291e2c5522f9a9019acf1675abeb9dad9ee
-
Filesize
3KB
MD5939f110fc2a6bbbd17c75a7e0f08e8b7
SHA1f5fd9651f65c4a76293d2162952ce1ff3634dfb0
SHA256537cde5c4edccf391300c1ec965bc8fcd7be62ad055e0efbfbe9193fbcb82693
SHA512354c7be60a23e452951b517d01bd2e4d8267587f13c1e56a0c0e8a33e57a233975488b8b7916c9aa9dc8f66d2047305c286b17252f98b868247a8addb80e51a3
-
Filesize
512KB
MD5895a38bc3fc7a0b21cadbf5b306faff7
SHA130c3c92c4e9fbd61db6dcff4ad1a42a6d5312e09
SHA2567a093c88448db7ce4e48155a1a14a15ee3f9f850ddd5853c2597869bcdd004ee
SHA51201bbcd194671e08cbeab90592756cf8c7f8f03248cf99d195986d45006dfc7b2d1e31808887dfcafa9261b1e92b4bf5ecf0afcda3fd279ab8e2173c3e1834d4e
-
Filesize
656KB
MD53a5105ff03e7b827b68b650bae59f7ce
SHA1b7dd7f343228e875eaaea019f0751ba5751be9f0
SHA256b5a39772351cbe7f8a5efd9eef8454d86535dbba0d4a600dd9645b7976b88a6c
SHA51299d64f0cc8f94ec3485aec5ca4e2116cfb6a94155a09ce04816d7275b8b91fe056ff3fd17e260a4ff722f3e18b8ccf7a09b6bbdde3609474bda6d2372c0207fc