Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
27/03/2025, 02:42
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
JaffaCakes118_8970327ee75efc6d291e9fa94473fa4e.exe
Resource
win7-20240903-en
windows7-x64
24 signatures
150 seconds
Behavioral task
behavioral2
Sample
JaffaCakes118_8970327ee75efc6d291e9fa94473fa4e.exe
Resource
win10v2004-20250314-en
windows10-2004-x64
24 signatures
150 seconds
General
-
Target
JaffaCakes118_8970327ee75efc6d291e9fa94473fa4e.exe
-
Size
556KB
-
MD5
8970327ee75efc6d291e9fa94473fa4e
-
SHA1
dce4a0d459b277c8ecf8edd903910ea4bac15769
-
SHA256
439ce0019a7fb62b9832175f3504fad7aaa7c9d1b3cc765da31316dbfcb45168
-
SHA512
6d29535c57788756521fc0a65d7b354e6e18968454f7b8f7171813207b3dba743f67d53f33f98c790986951126e8e13174664ab9bd67bdcdf2104b399e25eb1f
-
SSDEEP
6144:Sj6/wndfF/gl0LQIk8DR3dEuAI7pEfxsZozAm9TMdGQLUg1nYmefPImdrionr:A6onxOp8FySpE5zvIdtU+Ymef
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" whljbuilgrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" jqbgfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" jqbgfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" whljbuilgrv.exe -
Pykspa family
-
UAC bypass 3 TTPs 13 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" jqbgfm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" whljbuilgrv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" whljbuilgrv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" jqbgfm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" jqbgfm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" whljbuilgrv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" whljbuilgrv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" whljbuilgrv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" jqbgfm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" jqbgfm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" jqbgfm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" jqbgfm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" jqbgfm.exe -
Detect Pykspa worm 2 IoCs
resource yara_rule behavioral2/files/0x000d000000023ef4-4.dat family_pykspa behavioral2/files/0x000200000001e973-60.dat family_pykspa -
Adds policy Run key to start application 2 TTPs 24 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\masekynxsxsfl = "jedwjeartfhbovwyvhfa.exe" jqbgfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\masekynxsxsfl = "vmhwfwobzhfvehec.exe" jqbgfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\masekynxsxsfl = "cuqgqibpoxwnxbzys.exe" whljbuilgrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vgvehseldf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cuqgqibpoxwnxbzys.exe" jqbgfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vgvehseldf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vmhwfwobzhfvehec.exe" jqbgfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\masekynxsxsfl = "vmhwfwobzhfvehec.exe" jqbgfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\masekynxsxsfl = "wqogsmhxyjkdpvvwsda.exe" jqbgfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vgvehseldf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yuuocyvnqdgbpxzcanmii.exe" jqbgfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vgvehseldf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jedwjeartfhbovwyvhfa.exe" jqbgfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vgvehseldf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqogsmhxyjkdpvvwsda.exe" whljbuilgrv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run jqbgfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\masekynxsxsfl = "wqogsmhxyjkdpvvwsda.exe" jqbgfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vgvehseldf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yuuocyvnqdgbpxzcanmii.exe" jqbgfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vgvehseldf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cuqgqibpoxwnxbzys.exe" jqbgfm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run whljbuilgrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\masekynxsxsfl = "cuqgqibpoxwnxbzys.exe" jqbgfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vgvehseldf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lebsdwqffpphsxwwrb.exe" jqbgfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vgvehseldf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqogsmhxyjkdpvvwsda.exe" jqbgfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\masekynxsxsfl = "cuqgqibpoxwnxbzys.exe" jqbgfm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run whljbuilgrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\vgvehseldf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jedwjeartfhbovwyvhfa.exe" whljbuilgrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\masekynxsxsfl = "lebsdwqffpphsxwwrb.exe" whljbuilgrv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run jqbgfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\masekynxsxsfl = "jedwjeartfhbovwyvhfa.exe" jqbgfm.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" jqbgfm.exe Set value (int) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" whljbuilgrv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" whljbuilgrv.exe Set value (int) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" jqbgfm.exe Set value (int) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" jqbgfm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" jqbgfm.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation whljbuilgrv.exe Key value queried \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation JaffaCakes118_8970327ee75efc6d291e9fa94473fa4e.exe -
Executes dropped EXE 4 IoCs
pid Process 4888 whljbuilgrv.exe 2812 jqbgfm.exe 4876 jqbgfm.exe 4816 whljbuilgrv.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 6 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power jqbgfm.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\iai2c.sys jqbgfm.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\CBDHSvc jqbgfm.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\UserManager jqbgfm.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\SerCx2.sys jqbgfm.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc jqbgfm.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qcscgsfngjc = "jedwjeartfhbovwyvhfa.exe" jqbgfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qcscgsfngjc = "lebsdwqffpphsxwwrb.exe" whljbuilgrv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qgaowmdpmtqfnpl = "jedwjeartfhbovwyvhfa.exe ." whljbuilgrv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ncvipeufbhdryz = "yuuocyvnqdgbpxzcanmii.exe" jqbgfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cuqgqibpoxwnxbzys = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vmhwfwobzhfvehec.exe" jqbgfm.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qcscgsfngjc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqogsmhxyjkdpvvwsda.exe" jqbgfm.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qgaowmdpmtqfnpl = "lebsdwqffpphsxwwrb.exe ." jqbgfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cuqgqibpoxwnxbzys = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqogsmhxyjkdpvvwsda.exe" jqbgfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vmhwfwobzhfvehec = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yuuocyvnqdgbpxzcanmii.exe ." jqbgfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qcscgsfngjc = "cuqgqibpoxwnxbzys.exe" jqbgfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\narchuirlpjv = "yuuocyvnqdgbpxzcanmii.exe ." jqbgfm.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\narchuirlpjv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lebsdwqffpphsxwwrb.exe ." jqbgfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\narchuirlpjv = "wqogsmhxyjkdpvvwsda.exe ." jqbgfm.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qgaowmdpmtqfnpl = "wqogsmhxyjkdpvvwsda.exe ." jqbgfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vmhwfwobzhfvehec = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vmhwfwobzhfvehec.exe ." jqbgfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\narchuirlpjv = "jedwjeartfhbovwyvhfa.exe ." whljbuilgrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qcscgsfngjc = "yuuocyvnqdgbpxzcanmii.exe" jqbgfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qcscgsfngjc = "yuuocyvnqdgbpxzcanmii.exe" jqbgfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cuqgqibpoxwnxbzys = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cuqgqibpoxwnxbzys.exe" jqbgfm.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qcscgsfngjc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cuqgqibpoxwnxbzys.exe" jqbgfm.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\narchuirlpjv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lebsdwqffpphsxwwrb.exe ." jqbgfm.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\narchuirlpjv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cuqgqibpoxwnxbzys.exe ." jqbgfm.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qgaowmdpmtqfnpl = "vmhwfwobzhfvehec.exe ." jqbgfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vmhwfwobzhfvehec = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yuuocyvnqdgbpxzcanmii.exe ." jqbgfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vmhwfwobzhfvehec = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lebsdwqffpphsxwwrb.exe ." whljbuilgrv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\narchuirlpjv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yuuocyvnqdgbpxzcanmii.exe ." jqbgfm.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qcscgsfngjc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vmhwfwobzhfvehec.exe" jqbgfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qcscgsfngjc = "lebsdwqffpphsxwwrb.exe" jqbgfm.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ncvipeufbhdryz = "cuqgqibpoxwnxbzys.exe" jqbgfm.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qgaowmdpmtqfnpl = "yuuocyvnqdgbpxzcanmii.exe ." jqbgfm.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qcscgsfngjc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yuuocyvnqdgbpxzcanmii.exe" whljbuilgrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vmhwfwobzhfvehec = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jedwjeartfhbovwyvhfa.exe ." jqbgfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cuqgqibpoxwnxbzys = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lebsdwqffpphsxwwrb.exe" jqbgfm.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qcscgsfngjc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lebsdwqffpphsxwwrb.exe" jqbgfm.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qcscgsfngjc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cuqgqibpoxwnxbzys.exe" jqbgfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qcscgsfngjc = "wqogsmhxyjkdpvvwsda.exe" jqbgfm.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\narchuirlpjv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\vmhwfwobzhfvehec.exe ." jqbgfm.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qcscgsfngjc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jedwjeartfhbovwyvhfa.exe" jqbgfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\narchuirlpjv = "lebsdwqffpphsxwwrb.exe ." jqbgfm.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ncvipeufbhdryz = "cuqgqibpoxwnxbzys.exe" whljbuilgrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cuqgqibpoxwnxbzys = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yuuocyvnqdgbpxzcanmii.exe" whljbuilgrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cuqgqibpoxwnxbzys = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lebsdwqffpphsxwwrb.exe" jqbgfm.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\qcscgsfngjc = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lebsdwqffpphsxwwrb.exe" jqbgfm.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ncvipeufbhdryz = "lebsdwqffpphsxwwrb.exe" jqbgfm.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ncvipeufbhdryz = "jedwjeartfhbovwyvhfa.exe" jqbgfm.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qgaowmdpmtqfnpl = "cuqgqibpoxwnxbzys.exe ." jqbgfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\vmhwfwobzhfvehec = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yuuocyvnqdgbpxzcanmii.exe ." whljbuilgrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\narchuirlpjv = "cuqgqibpoxwnxbzys.exe ." whljbuilgrv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\narchuirlpjv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\lebsdwqffpphsxwwrb.exe ." whljbuilgrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cuqgqibpoxwnxbzys = "C:\\Users\\Admin\\AppData\\Local\\Temp\\wqogsmhxyjkdpvvwsda.exe" jqbgfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\narchuirlpjv = "vmhwfwobzhfvehec.exe ." jqbgfm.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ncvipeufbhdryz = "cuqgqibpoxwnxbzys.exe" jqbgfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\qcscgsfngjc = "cuqgqibpoxwnxbzys.exe" jqbgfm.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\narchuirlpjv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jedwjeartfhbovwyvhfa.exe ." jqbgfm.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ncvipeufbhdryz = "wqogsmhxyjkdpvvwsda.exe" jqbgfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\narchuirlpjv = "cuqgqibpoxwnxbzys.exe ." jqbgfm.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qgaowmdpmtqfnpl = "yuuocyvnqdgbpxzcanmii.exe ." jqbgfm.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\cuqgqibpoxwnxbzys = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jedwjeartfhbovwyvhfa.exe" jqbgfm.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\narchuirlpjv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\jedwjeartfhbovwyvhfa.exe ." whljbuilgrv.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ncvipeufbhdryz = "vmhwfwobzhfvehec.exe" jqbgfm.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\ncvipeufbhdryz = "vmhwfwobzhfvehec.exe" whljbuilgrv.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\narchuirlpjv = "vmhwfwobzhfvehec.exe ." jqbgfm.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\qgaowmdpmtqfnpl = "jedwjeartfhbovwyvhfa.exe ." jqbgfm.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\RunOnce\narchuirlpjv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cuqgqibpoxwnxbzys.exe ." jqbgfm.exe -
Checks whether UAC is enabled 1 TTPs 8 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" whljbuilgrv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" jqbgfm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" jqbgfm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" whljbuilgrv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA whljbuilgrv.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA jqbgfm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA jqbgfm.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA whljbuilgrv.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" jqbgfm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" whljbuilgrv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" jqbgfm.exe -
Looks up external IP address via web service 6 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 51 www.whatismyip.ca 56 whatismyip.everdot.org 27 whatismyip.everdot.org 28 whatismyipaddress.com 41 www.showmyipaddress.com 49 whatismyip.everdot.org -
Drops autorun.inf file 1 TTPs 4 IoCs
Malware can abuse Windows Autorun to spread further via attached volumes.
description ioc Process File opened for modification C:\autorun.inf jqbgfm.exe File created C:\autorun.inf jqbgfm.exe File opened for modification F:\autorun.inf jqbgfm.exe File created F:\autorun.inf jqbgfm.exe -
Drops file in System32 directory 32 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\cuqgqibpoxwnxbzys.exe jqbgfm.exe File opened for modification C:\Windows\SysWOW64\pmnixuslpdhdsbeihvvsto.exe jqbgfm.exe File opened for modification C:\Windows\SysWOW64\cuqgqibpoxwnxbzys.exe jqbgfm.exe File opened for modification C:\Windows\SysWOW64\pmnixuslpdhdsbeihvvsto.exe whljbuilgrv.exe File opened for modification C:\Windows\SysWOW64\wqogsmhxyjkdpvvwsda.exe whljbuilgrv.exe File opened for modification C:\Windows\SysWOW64\yuuocyvnqdgbpxzcanmii.exe whljbuilgrv.exe File opened for modification C:\Windows\SysWOW64\vmhwfwobzhfvehec.exe jqbgfm.exe File opened for modification C:\Windows\SysWOW64\lebsdwqffpphsxwwrb.exe jqbgfm.exe File opened for modification C:\Windows\SysWOW64\vmhwfwobzhfvehecvdxojyhyqdbjhxgjgexfzq.aja jqbgfm.exe File opened for modification C:\Windows\SysWOW64\cuqgqibpoxwnxbzys.exe whljbuilgrv.exe File opened for modification C:\Windows\SysWOW64\vmhwfwobzhfvehec.exe whljbuilgrv.exe File opened for modification C:\Windows\SysWOW64\vmhwfwobzhfvehec.exe jqbgfm.exe File opened for modification C:\Windows\SysWOW64\lebsdwqffpphsxwwrb.exe jqbgfm.exe File opened for modification C:\Windows\SysWOW64\yeosqwdfspchfxjwebkqaecipre.otr jqbgfm.exe File created C:\Windows\SysWOW64\vmhwfwobzhfvehecvdxojyhyqdbjhxgjgexfzq.aja jqbgfm.exe File opened for modification C:\Windows\SysWOW64\vmhwfwobzhfvehec.exe whljbuilgrv.exe File opened for modification C:\Windows\SysWOW64\jedwjeartfhbovwyvhfa.exe whljbuilgrv.exe File opened for modification C:\Windows\SysWOW64\jedwjeartfhbovwyvhfa.exe jqbgfm.exe File opened for modification C:\Windows\SysWOW64\wqogsmhxyjkdpvvwsda.exe whljbuilgrv.exe File opened for modification C:\Windows\SysWOW64\cuqgqibpoxwnxbzys.exe whljbuilgrv.exe File opened for modification C:\Windows\SysWOW64\wqogsmhxyjkdpvvwsda.exe jqbgfm.exe File opened for modification C:\Windows\SysWOW64\jedwjeartfhbovwyvhfa.exe jqbgfm.exe File opened for modification C:\Windows\SysWOW64\yuuocyvnqdgbpxzcanmii.exe jqbgfm.exe File created C:\Windows\SysWOW64\yeosqwdfspchfxjwebkqaecipre.otr jqbgfm.exe File opened for modification C:\Windows\SysWOW64\pmnixuslpdhdsbeihvvsto.exe whljbuilgrv.exe File opened for modification C:\Windows\SysWOW64\wqogsmhxyjkdpvvwsda.exe jqbgfm.exe File opened for modification C:\Windows\SysWOW64\pmnixuslpdhdsbeihvvsto.exe jqbgfm.exe File opened for modification C:\Windows\SysWOW64\jedwjeartfhbovwyvhfa.exe whljbuilgrv.exe File opened for modification C:\Windows\SysWOW64\yuuocyvnqdgbpxzcanmii.exe whljbuilgrv.exe File opened for modification C:\Windows\SysWOW64\lebsdwqffpphsxwwrb.exe whljbuilgrv.exe File opened for modification C:\Windows\SysWOW64\yuuocyvnqdgbpxzcanmii.exe jqbgfm.exe File opened for modification C:\Windows\SysWOW64\lebsdwqffpphsxwwrb.exe whljbuilgrv.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\yeosqwdfspchfxjwebkqaecipre.otr jqbgfm.exe File created C:\Program Files (x86)\yeosqwdfspchfxjwebkqaecipre.otr jqbgfm.exe File opened for modification C:\Program Files (x86)\vmhwfwobzhfvehecvdxojyhyqdbjhxgjgexfzq.aja jqbgfm.exe File created C:\Program Files (x86)\vmhwfwobzhfvehecvdxojyhyqdbjhxgjgexfzq.aja jqbgfm.exe -
Drops file in Windows directory 32 IoCs
description ioc Process File created C:\Windows\yeosqwdfspchfxjwebkqaecipre.otr jqbgfm.exe File opened for modification C:\Windows\jedwjeartfhbovwyvhfa.exe whljbuilgrv.exe File opened for modification C:\Windows\jedwjeartfhbovwyvhfa.exe jqbgfm.exe File opened for modification C:\Windows\lebsdwqffpphsxwwrb.exe whljbuilgrv.exe File opened for modification C:\Windows\cuqgqibpoxwnxbzys.exe jqbgfm.exe File opened for modification C:\Windows\lebsdwqffpphsxwwrb.exe jqbgfm.exe File opened for modification C:\Windows\wqogsmhxyjkdpvvwsda.exe jqbgfm.exe File opened for modification C:\Windows\pmnixuslpdhdsbeihvvsto.exe jqbgfm.exe File opened for modification C:\Windows\cuqgqibpoxwnxbzys.exe whljbuilgrv.exe File opened for modification C:\Windows\pmnixuslpdhdsbeihvvsto.exe whljbuilgrv.exe File opened for modification C:\Windows\pmnixuslpdhdsbeihvvsto.exe whljbuilgrv.exe File opened for modification C:\Windows\yuuocyvnqdgbpxzcanmii.exe jqbgfm.exe File opened for modification C:\Windows\yeosqwdfspchfxjwebkqaecipre.otr jqbgfm.exe File opened for modification C:\Windows\yuuocyvnqdgbpxzcanmii.exe jqbgfm.exe File opened for modification C:\Windows\jedwjeartfhbovwyvhfa.exe whljbuilgrv.exe File opened for modification C:\Windows\vmhwfwobzhfvehec.exe jqbgfm.exe File opened for modification C:\Windows\lebsdwqffpphsxwwrb.exe jqbgfm.exe File opened for modification C:\Windows\jedwjeartfhbovwyvhfa.exe jqbgfm.exe File opened for modification C:\Windows\wqogsmhxyjkdpvvwsda.exe whljbuilgrv.exe File opened for modification C:\Windows\vmhwfwobzhfvehec.exe jqbgfm.exe File opened for modification C:\Windows\cuqgqibpoxwnxbzys.exe jqbgfm.exe File opened for modification C:\Windows\wqogsmhxyjkdpvvwsda.exe jqbgfm.exe File opened for modification C:\Windows\vmhwfwobzhfvehecvdxojyhyqdbjhxgjgexfzq.aja jqbgfm.exe File opened for modification C:\Windows\yuuocyvnqdgbpxzcanmii.exe whljbuilgrv.exe File opened for modification C:\Windows\cuqgqibpoxwnxbzys.exe whljbuilgrv.exe File opened for modification C:\Windows\yuuocyvnqdgbpxzcanmii.exe whljbuilgrv.exe File created C:\Windows\vmhwfwobzhfvehecvdxojyhyqdbjhxgjgexfzq.aja jqbgfm.exe File opened for modification C:\Windows\lebsdwqffpphsxwwrb.exe whljbuilgrv.exe File opened for modification C:\Windows\vmhwfwobzhfvehec.exe whljbuilgrv.exe File opened for modification C:\Windows\wqogsmhxyjkdpvvwsda.exe whljbuilgrv.exe File opened for modification C:\Windows\pmnixuslpdhdsbeihvvsto.exe jqbgfm.exe File opened for modification C:\Windows\vmhwfwobzhfvehec.exe whljbuilgrv.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language whljbuilgrv.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language jqbgfm.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_8970327ee75efc6d291e9fa94473fa4e.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1528 JaffaCakes118_8970327ee75efc6d291e9fa94473fa4e.exe 1528 JaffaCakes118_8970327ee75efc6d291e9fa94473fa4e.exe 1528 JaffaCakes118_8970327ee75efc6d291e9fa94473fa4e.exe 1528 JaffaCakes118_8970327ee75efc6d291e9fa94473fa4e.exe 1528 JaffaCakes118_8970327ee75efc6d291e9fa94473fa4e.exe 1528 JaffaCakes118_8970327ee75efc6d291e9fa94473fa4e.exe 1528 JaffaCakes118_8970327ee75efc6d291e9fa94473fa4e.exe 1528 JaffaCakes118_8970327ee75efc6d291e9fa94473fa4e.exe 1528 JaffaCakes118_8970327ee75efc6d291e9fa94473fa4e.exe 1528 JaffaCakes118_8970327ee75efc6d291e9fa94473fa4e.exe 1528 JaffaCakes118_8970327ee75efc6d291e9fa94473fa4e.exe 1528 JaffaCakes118_8970327ee75efc6d291e9fa94473fa4e.exe 1528 JaffaCakes118_8970327ee75efc6d291e9fa94473fa4e.exe 1528 JaffaCakes118_8970327ee75efc6d291e9fa94473fa4e.exe 2812 jqbgfm.exe 2812 jqbgfm.exe 1528 JaffaCakes118_8970327ee75efc6d291e9fa94473fa4e.exe 1528 JaffaCakes118_8970327ee75efc6d291e9fa94473fa4e.exe 1528 JaffaCakes118_8970327ee75efc6d291e9fa94473fa4e.exe 1528 JaffaCakes118_8970327ee75efc6d291e9fa94473fa4e.exe 1528 JaffaCakes118_8970327ee75efc6d291e9fa94473fa4e.exe 1528 JaffaCakes118_8970327ee75efc6d291e9fa94473fa4e.exe 1528 JaffaCakes118_8970327ee75efc6d291e9fa94473fa4e.exe 1528 JaffaCakes118_8970327ee75efc6d291e9fa94473fa4e.exe 1528 JaffaCakes118_8970327ee75efc6d291e9fa94473fa4e.exe 1528 JaffaCakes118_8970327ee75efc6d291e9fa94473fa4e.exe 1528 JaffaCakes118_8970327ee75efc6d291e9fa94473fa4e.exe 1528 JaffaCakes118_8970327ee75efc6d291e9fa94473fa4e.exe 1528 JaffaCakes118_8970327ee75efc6d291e9fa94473fa4e.exe 1528 JaffaCakes118_8970327ee75efc6d291e9fa94473fa4e.exe 1528 JaffaCakes118_8970327ee75efc6d291e9fa94473fa4e.exe 1528 JaffaCakes118_8970327ee75efc6d291e9fa94473fa4e.exe 1528 JaffaCakes118_8970327ee75efc6d291e9fa94473fa4e.exe 1528 JaffaCakes118_8970327ee75efc6d291e9fa94473fa4e.exe 1528 JaffaCakes118_8970327ee75efc6d291e9fa94473fa4e.exe 1528 JaffaCakes118_8970327ee75efc6d291e9fa94473fa4e.exe 1528 JaffaCakes118_8970327ee75efc6d291e9fa94473fa4e.exe 1528 JaffaCakes118_8970327ee75efc6d291e9fa94473fa4e.exe 1528 JaffaCakes118_8970327ee75efc6d291e9fa94473fa4e.exe 1528 JaffaCakes118_8970327ee75efc6d291e9fa94473fa4e.exe 1528 JaffaCakes118_8970327ee75efc6d291e9fa94473fa4e.exe 1528 JaffaCakes118_8970327ee75efc6d291e9fa94473fa4e.exe 1528 JaffaCakes118_8970327ee75efc6d291e9fa94473fa4e.exe 1528 JaffaCakes118_8970327ee75efc6d291e9fa94473fa4e.exe 2812 jqbgfm.exe 2812 jqbgfm.exe 1528 JaffaCakes118_8970327ee75efc6d291e9fa94473fa4e.exe 1528 JaffaCakes118_8970327ee75efc6d291e9fa94473fa4e.exe 1528 JaffaCakes118_8970327ee75efc6d291e9fa94473fa4e.exe 1528 JaffaCakes118_8970327ee75efc6d291e9fa94473fa4e.exe 1528 JaffaCakes118_8970327ee75efc6d291e9fa94473fa4e.exe 1528 JaffaCakes118_8970327ee75efc6d291e9fa94473fa4e.exe 1528 JaffaCakes118_8970327ee75efc6d291e9fa94473fa4e.exe 1528 JaffaCakes118_8970327ee75efc6d291e9fa94473fa4e.exe 1528 JaffaCakes118_8970327ee75efc6d291e9fa94473fa4e.exe 1528 JaffaCakes118_8970327ee75efc6d291e9fa94473fa4e.exe 1528 JaffaCakes118_8970327ee75efc6d291e9fa94473fa4e.exe 1528 JaffaCakes118_8970327ee75efc6d291e9fa94473fa4e.exe 1528 JaffaCakes118_8970327ee75efc6d291e9fa94473fa4e.exe 1528 JaffaCakes118_8970327ee75efc6d291e9fa94473fa4e.exe 1528 JaffaCakes118_8970327ee75efc6d291e9fa94473fa4e.exe 1528 JaffaCakes118_8970327ee75efc6d291e9fa94473fa4e.exe 1528 JaffaCakes118_8970327ee75efc6d291e9fa94473fa4e.exe 1528 JaffaCakes118_8970327ee75efc6d291e9fa94473fa4e.exe -
Suspicious use of AdjustPrivilegeToken 1 IoCs
description pid Process Token: SeDebugPrivilege 2812 jqbgfm.exe -
Suspicious use of WriteProcessMemory 12 IoCs
description pid Process procid_target PID 1528 wrote to memory of 4888 1528 JaffaCakes118_8970327ee75efc6d291e9fa94473fa4e.exe 91 PID 1528 wrote to memory of 4888 1528 JaffaCakes118_8970327ee75efc6d291e9fa94473fa4e.exe 91 PID 1528 wrote to memory of 4888 1528 JaffaCakes118_8970327ee75efc6d291e9fa94473fa4e.exe 91 PID 4888 wrote to memory of 2812 4888 whljbuilgrv.exe 96 PID 4888 wrote to memory of 2812 4888 whljbuilgrv.exe 96 PID 4888 wrote to memory of 2812 4888 whljbuilgrv.exe 96 PID 4888 wrote to memory of 4876 4888 whljbuilgrv.exe 97 PID 4888 wrote to memory of 4876 4888 whljbuilgrv.exe 97 PID 4888 wrote to memory of 4876 4888 whljbuilgrv.exe 97 PID 1528 wrote to memory of 4816 1528 JaffaCakes118_8970327ee75efc6d291e9fa94473fa4e.exe 111 PID 1528 wrote to memory of 4816 1528 JaffaCakes118_8970327ee75efc6d291e9fa94473fa4e.exe 111 PID 1528 wrote to memory of 4816 1528 JaffaCakes118_8970327ee75efc6d291e9fa94473fa4e.exe 111 -
System policy modification 1 TTPs 38 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer jqbgfm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer whljbuilgrv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" jqbgfm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" jqbgfm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" jqbgfm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System whljbuilgrv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" whljbuilgrv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" jqbgfm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" jqbgfm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" jqbgfm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" whljbuilgrv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" whljbuilgrv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" whljbuilgrv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" jqbgfm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" jqbgfm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" jqbgfm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System whljbuilgrv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" whljbuilgrv.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System jqbgfm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System jqbgfm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" whljbuilgrv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" jqbgfm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" jqbgfm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" whljbuilgrv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" whljbuilgrv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" jqbgfm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" whljbuilgrv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" jqbgfm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" jqbgfm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" whljbuilgrv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" jqbgfm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" jqbgfm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" jqbgfm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" jqbgfm.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer jqbgfm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" whljbuilgrv.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" jqbgfm.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" jqbgfm.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8970327ee75efc6d291e9fa94473fa4e.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8970327ee75efc6d291e9fa94473fa4e.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe"C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_8970327ee75efc6d291e9fa94473fa4e.exe*"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4888 -
C:\Users\Admin\AppData\Local\Temp\jqbgfm.exe"C:\Users\Admin\AppData\Local\Temp\jqbgfm.exe" "-C:\Users\Admin\AppData\Local\Temp\vmhwfwobzhfvehec.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops autorun.inf file
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2812
-
-
C:\Users\Admin\AppData\Local\Temp\jqbgfm.exe"C:\Users\Admin\AppData\Local\Temp\jqbgfm.exe" "-C:\Users\Admin\AppData\Local\Temp\vmhwfwobzhfvehec.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4876
-
-
-
C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe"C:\Users\Admin\AppData\Local\Temp\whljbuilgrv.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_8970327ee75efc6d291e9fa94473fa4e.exe"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:4816
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
3Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
5Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
272B
MD559d7f592da762a531d73efb0e68487ae
SHA1bb15fa0538351dcc75ab3075deefc4b2727ce867
SHA256bda677235b184e17f5b481342234022c512a26ef088f573bf41073218f14e898
SHA512ad3dd053a44af6da613fa2e5d798e9644532d8259e72d1fdf8795b4490db08246dbfd24920e67b62e5033d55d23c95187f587543e39c5e8ff53b745722881996
-
Filesize
272B
MD535baffdff670dcc3ae2a7597ae391bf0
SHA1d4b415eaf11350514a2f75df6c93a874b9b07d6c
SHA256def67a38f2227ea448cdb5a1eb20c00aa5e90828d78ff1728fcf46fa8ee766e1
SHA512b749bcbe58afbc23520ff1bdadc0e68f7786c22b93f3bdae9e80c225eb683d15ab09e754abe8aeeeee32df326a007a06883d2fa171c9e51aa54c32d5bc66b8d2
-
Filesize
272B
MD560bac387f1b4a0d8081e9ad64e10f0cd
SHA192fe595ba34f00011afbab1aafa47adf1eedf484
SHA256649fec8fe0d18192dc73085357c198c872cf4ec2daefef9ed3e23fbf29d3e216
SHA512f8c8338fa463c42fbe827274373fdd220bcfc67262113fcd9a6d408192e1e4728089c18595c5de8d50e09534ffb029436f26bfafb0b68cc23a2b413866aed5cf
-
Filesize
272B
MD5774f16f6ad4df6d6b324d2bfc5ab41df
SHA1353ecfc1a8d3a061ded958cc6ae68e19c3adb8df
SHA256d54480d41dcc1b1fc825e0d4a0b51c4ea09422cfa236986a1933a78e4166f4ff
SHA512f7f5174bfd2b13f15611ebe29da425042241a638086aec4a82039b34475ec04933f6dababfa886f24b42cfe3de7bd132107315a54ed4152de04415295c6f682e
-
Filesize
712KB
MD5fca5fe4ae6b79f4db7dba39b5b1e7beb
SHA1bfa91f35ae638df1c7ddbecfaeba5fac8fff38f3
SHA256897afb365d65b1b9bb16d157b6b519af150f1b289293151f45e81561b39cba72
SHA5128cca341b314dd021a430e36c55d2c34ad7199b2efe6602ce60acffa6a7ce3a3319fe9a035b14a8a598d5fe96ed3e2c139ce4090e0126a8904dc2f0848bca294a
-
Filesize
320KB
MD55203b6ea0901877fbf2d8d6f6d8d338e
SHA1c803e92561921b38abe13239c1fd85605b570936
SHA2560cc02d34d5fd4cf892fed282f98c1ad3e7dd6159a8877ae5c46d3f834ed36060
SHA512d48a41b4fc4c38a6473f789c02918fb7353a4b4199768a3624f3b685d91d38519887a1ccd3616e0d2b079a346afaec5a0f2ef2c46d72d3097ef561cedb476471
-
Filesize
3KB
MD5d98c22d011c54562520a960be8cc05b8
SHA12fa3e7dca0dea779e2ab847fd2f1bc942bf4bc41
SHA256bff92deb922dd823d5d4571212ed083123f3de1740c5c80535bfb44e00c0d305
SHA5125744f284691ad75598afd92f2681a8d6ce1b203aa5788f64761cdb067662d6a31e4b7496a96864315d2d97082fc331d4a3a564f906f0b0825260ef390a9b6e9f
-
Filesize
272B
MD5363941d33b8c9d67f6a2d430bd21ba53
SHA1d5c3b51eb045124676168ca264a4206fe83d23ab
SHA2566cbac2ddc6bf4a463e3182f36093bfd6d4159689d9a42ecac080d641675262b3
SHA512b81e795f25eefadf610b81f38d1416568a922599b7735032e3ed33533e29b9f7aa0ed621e4f2c81c43f61f8e7d6296a902021a842c543a9de3e71218d464fc5e
-
Filesize
272B
MD53bdd3c9004696f991cd3cd234289b5e0
SHA194d1ef17fac9a4298bd153659626f8943744aae0
SHA256fde77f7f0a0ecdda30039596bd7634841590dca31f22487db57d9752646b4569
SHA5129b98f85271124a788f908327a5383d7ea42f65048b68631fb2efbcb48a0ea74bd2991836352815ea45e54f13c982c866c5f70f05158d6bc7758793038ee62282
-
Filesize
272B
MD54b24a7197ec24f40735b00a5d8a75fba
SHA1e8fe8efca93e87af2050e7fcfc77b372f34aeffa
SHA2562a63839a251712e18952c800e8d71370be949decc0f62de70aded7eab4bd2385
SHA512059eec608bbd8957b972b18eb4089139ec66303c18a0299643a57b759a7d194c8a1ee4fb1464a855e53d910eac48051dbf8daf34252ee1dbc82a585f7234a59e
-
Filesize
556KB
MD58970327ee75efc6d291e9fa94473fa4e
SHA1dce4a0d459b277c8ecf8edd903910ea4bac15769
SHA256439ce0019a7fb62b9832175f3504fad7aaa7c9d1b3cc765da31316dbfcb45168
SHA5126d29535c57788756521fc0a65d7b354e6e18968454f7b8f7171813207b3dba743f67d53f33f98c790986951126e8e13174664ab9bd67bdcdf2104b399e25eb1f
-
Filesize
556KB
MD5a6ed097f83d63d7b5b640dc2160b2a4d
SHA138c9b406522f13d25662f4bd49169e5c53298aca
SHA256d66e2a70366f869711df4dbe9f56401a90cfe6911abe14202ba5eeb821d95a31
SHA51261b645b71e7b341d984aae0c3bb9347b8a7ea224bfa35af945dbb751c0939702040136300ddca8e6f6727c274df875303fa0efd446df9971ef3e7715731a4d38