Analysis
-
max time kernel
49s -
max time network
38s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
28/03/2025, 01:26
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe
Resource
win10v2004-20250313-en
General
-
Target
JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe
-
Size
512KB
-
MD5
8a37689689c2c8072ce71dc9eaee9278
-
SHA1
9f4b5397777e2740b9c42f5df71eeb143854dd0a
-
SHA256
a8b7dd0803b23353719c57aa2a57b6124e5aceb16da43b803b146f4e28a1f921
-
SHA512
d30f59e78c4134770d16ebb8e56d280e21dd221fa43b4a9b604e438b0f3a67d2ec86dae029509b94e5e5b64d92c64f71df6b66643e034384df5b5f8158930191
-
SSDEEP
12288:gQMiG+2gef5x/xQTB2OfDKC7WgcURfMMMMM2MMMMM:gQ0+29VgfDnKwRfMMMMM2MMMMM
Malware Config
Signatures
-
Modifies WinLogon for persistence 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xaxybxpphkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" cfglr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" cfglr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xaxybxpphkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xaxybxpphkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe" xaxybxpphkh.exe -
Pykspa family
-
UAC bypass 3 TTPs 15 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" xaxybxpphkh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" cfglr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" cfglr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" cfglr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xaxybxpphkh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xaxybxpphkh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" xaxybxpphkh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cfglr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" cfglr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xaxybxpphkh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" xaxybxpphkh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cfglr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" cfglr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xaxybxpphkh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" cfglr.exe -
Detect Pykspa worm 2 IoCs
resource yara_rule behavioral1/files/0x0008000000012102-2.dat family_pykspa behavioral1/files/0x0005000000019db8-61.dat family_pykspa -
Adds policy Run key to start application 2 TTPs 25 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zhnxitikwg = "gvizrjfohyxgjqzbz.exe" cfglr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run xaxybxpphkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zhnxitikwg = "gvizrjfohyxgjqzbz.exe" cfglr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zhnxitikwg = "nfvpkfeqmgiuakwbcljb.exe" cfglr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\afipxfr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\argztnlwrklwbkvzzhe.exe" cfglr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run xaxybxpphkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\afipxfr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gvizrjfohyxgjqzbz.exe" xaxybxpphkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run cfglr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zhnxitikwg = "cvmhdzzmjehubmzfhrqja.exe" cfglr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\afipxfr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gvizrjfohyxgjqzbz.exe" cfglr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\afipxfr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cvmhdzzmjehubmzfhrqja.exe" cfglr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zhnxitikwg = "cvmhdzzmjehubmzfhrqja.exe" xaxybxpphkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\afipxfr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pftlexueyqqaemwzyf.exe" cfglr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zhnxitikwg = "nfvpkfeqmgiuakwbcljb.exe" xaxybxpphkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\afipxfr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gvizrjfohyxgjqzbz.exe" cfglr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\afipxfr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\znzpgxsasigoqwef.exe" xaxybxpphkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zhnxitikwg = "znzpgxsasigoqwef.exe" cfglr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zhnxitikwg = "znzpgxsasigoqwef.exe" xaxybxpphkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\zhnxitikwg = "cvmhdzzmjehubmzfhrqja.exe" xaxybxpphkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run cfglr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run xaxybxpphkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\afipxfr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nfvpkfeqmgiuakwbcljb.exe" cfglr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\afipxfr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nfvpkfeqmgiuakwbcljb.exe" xaxybxpphkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run xaxybxpphkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\afipxfr = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pftlexueyqqaemwzyf.exe" xaxybxpphkh.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 3 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Disables RegEdit via registry modification 6 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xaxybxpphkh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xaxybxpphkh.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" cfglr.exe Set value (int) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" cfglr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" cfglr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" cfglr.exe -
Executes dropped EXE 15 IoCs
pid Process 2832 xaxybxpphkh.exe 2436 cfglr.exe 2524 cfglr.exe 2528 argztnlwrklwbkvzzhe.exe 2348 cvmhdzzmjehubmzfhrqja.exe 2020 xaxybxpphkh.exe 1044 xaxybxpphkh.exe 2568 argztnlwrklwbkvzzhe.exe 2596 znzpgxsasigoqwef.exe 2892 xaxybxpphkh.exe 2812 xaxybxpphkh.exe 2388 znzpgxsasigoqwef.exe 1404 gvizrjfohyxgjqzbz.exe 2740 xaxybxpphkh.exe 380 xaxybxpphkh.exe -
Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs
description ioc Process Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend cfglr.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc cfglr.exe Key deleted \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power cfglr.exe -
Loads dropped DLL 18 IoCs
pid Process 2828 JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe 2828 JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe 2832 xaxybxpphkh.exe 2832 xaxybxpphkh.exe 2832 xaxybxpphkh.exe 2832 xaxybxpphkh.exe 2528 argztnlwrklwbkvzzhe.exe 2348 cvmhdzzmjehubmzfhrqja.exe 2528 argztnlwrklwbkvzzhe.exe 2348 cvmhdzzmjehubmzfhrqja.exe 2596 znzpgxsasigoqwef.exe 2596 znzpgxsasigoqwef.exe 2568 argztnlwrklwbkvzzhe.exe 2568 argztnlwrklwbkvzzhe.exe 2388 znzpgxsasigoqwef.exe 2388 znzpgxsasigoqwef.exe 1404 gvizrjfohyxgjqzbz.exe 1404 gvizrjfohyxgjqzbz.exe -
Adds Run key to start application 2 TTPs 64 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\pvzhqzmm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gvizrjfohyxgjqzbz.exe" cfglr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\pvzhqzmm = "pftlexueyqqaemwzyf.exe" cfglr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rdnbqfyeuiekko = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gvizrjfohyxgjqzbz.exe" xaxybxpphkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rdnbqfyeuiekko = "C:\\Users\\Admin\\AppData\\Local\\Temp\\argztnlwrklwbkvzzhe.exe" xaxybxpphkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qbkxlzrwlytyx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cvmhdzzmjehubmzfhrqja.exe ." xaxybxpphkh.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\gnsblvjkv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gvizrjfohyxgjqzbz.exe ." cfglr.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\gnsblvjkv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\znzpgxsasigoqwef.exe ." cfglr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\pvzhqzmm = "argztnlwrklwbkvzzhe.exe" cfglr.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\rbjvivmqeqko = "znzpgxsasigoqwef.exe ." cfglr.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\udkvhtjmzkd = "gvizrjfohyxgjqzbz.exe" xaxybxpphkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\gnsblvjkv = "argztnlwrklwbkvzzhe.exe ." cfglr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\gnsblvjkv = "gvizrjfohyxgjqzbz.exe ." cfglr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qbkxlzrwlytyx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cvmhdzzmjehubmzfhrqja.exe ." cfglr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\gnsblvjkv = "nfvpkfeqmgiuakwbcljb.exe ." cfglr.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\rbjvivmqeqko = "argztnlwrklwbkvzzhe.exe ." cfglr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qbkxlzrwlytyx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nfvpkfeqmgiuakwbcljb.exe ." cfglr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rdnbqfyeuiekko = "C:\\Users\\Admin\\AppData\\Local\\Temp\\argztnlwrklwbkvzzhe.exe" cfglr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qbkxlzrwlytyx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gvizrjfohyxgjqzbz.exe ." cfglr.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\gnsblvjkv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cvmhdzzmjehubmzfhrqja.exe ." cfglr.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\pvzhqzmm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\argztnlwrklwbkvzzhe.exe" cfglr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\pvzhqzmm = "znzpgxsasigoqwef.exe" cfglr.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\rbjvivmqeqko = "znzpgxsasigoqwef.exe ." cfglr.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\udkvhtjmzkd = "nfvpkfeqmgiuakwbcljb.exe" cfglr.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\pvzhqzmm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\znzpgxsasigoqwef.exe" cfglr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\pvzhqzmm = "argztnlwrklwbkvzzhe.exe" xaxybxpphkh.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\gnsblvjkv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pftlexueyqqaemwzyf.exe ." cfglr.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\gnsblvjkv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gvizrjfohyxgjqzbz.exe ." xaxybxpphkh.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\pvzhqzmm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nfvpkfeqmgiuakwbcljb.exe" xaxybxpphkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\gnsblvjkv = "cvmhdzzmjehubmzfhrqja.exe ." cfglr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qbkxlzrwlytyx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pftlexueyqqaemwzyf.exe ." xaxybxpphkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\pvzhqzmm = "znzpgxsasigoqwef.exe" cfglr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qbkxlzrwlytyx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pftlexueyqqaemwzyf.exe ." cfglr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\pvzhqzmm = "argztnlwrklwbkvzzhe.exe" cfglr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\pvzhqzmm = "cvmhdzzmjehubmzfhrqja.exe" cfglr.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\udkvhtjmzkd = "gvizrjfohyxgjqzbz.exe" cfglr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\pvzhqzmm = "gvizrjfohyxgjqzbz.exe" xaxybxpphkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rdnbqfyeuiekko = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cvmhdzzmjehubmzfhrqja.exe" xaxybxpphkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rdnbqfyeuiekko = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gvizrjfohyxgjqzbz.exe" cfglr.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\udkvhtjmzkd = "cvmhdzzmjehubmzfhrqja.exe" cfglr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rdnbqfyeuiekko = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cvmhdzzmjehubmzfhrqja.exe" cfglr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qbkxlzrwlytyx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pftlexueyqqaemwzyf.exe ." cfglr.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\gnsblvjkv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cvmhdzzmjehubmzfhrqja.exe ." cfglr.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\rbjvivmqeqko = "znzpgxsasigoqwef.exe ." xaxybxpphkh.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\pvzhqzmm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cvmhdzzmjehubmzfhrqja.exe" xaxybxpphkh.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\rbjvivmqeqko = "cvmhdzzmjehubmzfhrqja.exe ." cfglr.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\gnsblvjkv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\znzpgxsasigoqwef.exe ." xaxybxpphkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\gnsblvjkv = "gvizrjfohyxgjqzbz.exe ." xaxybxpphkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\qbkxlzrwlytyx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\argztnlwrklwbkvzzhe.exe ." xaxybxpphkh.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\rbjvivmqeqko = "pftlexueyqqaemwzyf.exe ." xaxybxpphkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\rdnbqfyeuiekko = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nfvpkfeqmgiuakwbcljb.exe" cfglr.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\pvzhqzmm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\pftlexueyqqaemwzyf.exe" cfglr.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\gnsblvjkv = "C:\\Users\\Admin\\AppData\\Local\\Temp\\argztnlwrklwbkvzzhe.exe ." cfglr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\gnsblvjkv = "argztnlwrklwbkvzzhe.exe ." xaxybxpphkh.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\udkvhtjmzkd = "pftlexueyqqaemwzyf.exe" cfglr.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\rbjvivmqeqko = "nfvpkfeqmgiuakwbcljb.exe ." cfglr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\gnsblvjkv = "gvizrjfohyxgjqzbz.exe ." xaxybxpphkh.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\pvzhqzmm = "gvizrjfohyxgjqzbz.exe" cfglr.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\udkvhtjmzkd = "pftlexueyqqaemwzyf.exe" cfglr.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\pvzhqzmm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\gvizrjfohyxgjqzbz.exe" cfglr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\gnsblvjkv = "cvmhdzzmjehubmzfhrqja.exe ." cfglr.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\rbjvivmqeqko = "argztnlwrklwbkvzzhe.exe ." cfglr.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\udkvhtjmzkd = "argztnlwrklwbkvzzhe.exe" cfglr.exe Set value (str) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\pvzhqzmm = "C:\\Users\\Admin\\AppData\\Local\\Temp\\cvmhdzzmjehubmzfhrqja.exe" cfglr.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\gnsblvjkv = "pftlexueyqqaemwzyf.exe ." cfglr.exe -
Checks whether UAC is enabled 1 TTPs 12 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cfglr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cfglr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xaxybxpphkh.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xaxybxpphkh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cfglr.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA cfglr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xaxybxpphkh.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xaxybxpphkh.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xaxybxpphkh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xaxybxpphkh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xaxybxpphkh.exe Key value queried \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA xaxybxpphkh.exe -
Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs
Possible Turn off User Account Control's privilege elevation for standard users.
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" xaxybxpphkh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" cfglr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0" cfglr.exe -
Looks up external IP address via web service 4 IoCs
Uses a legitimate IP lookup service to find the infected system's external IP.
flow ioc 9 www.whatismyip.ca 2 whatismyipaddress.com 5 www.showmyipaddress.com 8 whatismyip.everdot.org -
Drops file in System32 directory 64 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\nfvpkfeqmgiuakwbcljb.exe xaxybxpphkh.exe File opened for modification C:\Windows\SysWOW64\cvmhdzzmjehubmzfhrqja.exe xaxybxpphkh.exe File created C:\Windows\SysWOW64\tnfbyvwkieiweqelozztlh.exe xaxybxpphkh.exe File opened for modification C:\Windows\SysWOW64\cvmhdzzmjehubmzfhrqja.exe xaxybxpphkh.exe File opened for modification C:\Windows\SysWOW64\pftlexueyqqaemwzyf.exe cfglr.exe File opened for modification C:\Windows\SysWOW64\tnfbyvwkieiweqelozztlh.exe xaxybxpphkh.exe File created C:\Windows\SysWOW64\pftlexueyqqaemwzyf.exe xaxybxpphkh.exe File opened for modification C:\Windows\SysWOW64\nfvpkfeqmgiuakwbcljb.exe cfglr.exe File created C:\Windows\SysWOW64\nfvpkfeqmgiuakwbcljb.exe cfglr.exe File opened for modification C:\Windows\SysWOW64\argztnlwrklwbkvzzhe.exe xaxybxpphkh.exe File created C:\Windows\SysWOW64\gvizrjfohyxgjqzbz.exe cfglr.exe File created C:\Windows\SysWOW64\cvmhdzzmjehubmzfhrqja.exe cfglr.exe File opened for modification C:\Windows\SysWOW64\tnfbyvwkieiweqelozztlh.exe xaxybxpphkh.exe File created C:\Windows\SysWOW64\nfvpkfeqmgiuakwbcljb.exe xaxybxpphkh.exe File created C:\Windows\SysWOW64\znzpgxsasigoqwef.exe cfglr.exe File opened for modification C:\Windows\SysWOW64\gvizrjfohyxgjqzbz.exe cfglr.exe File opened for modification C:\Windows\SysWOW64\gvizrjfohyxgjqzbz.exe cfglr.exe File created C:\Windows\SysWOW64\zhnxitikwgyawwytkjxflvgrgiuewyuu.rih cfglr.exe File created C:\Windows\SysWOW64\argztnlwrklwbkvzzhe.exe xaxybxpphkh.exe File opened for modification C:\Windows\SysWOW64\pftlexueyqqaemwzyf.exe cfglr.exe File opened for modification C:\Windows\SysWOW64\cvmhdzzmjehubmzfhrqja.exe cfglr.exe File opened for modification C:\Windows\SysWOW64\pftlexueyqqaemwzyf.exe xaxybxpphkh.exe File created C:\Windows\SysWOW64\gvizrjfohyxgjqzbz.exe xaxybxpphkh.exe File opened for modification C:\Windows\SysWOW64\nfvpkfeqmgiuakwbcljb.exe xaxybxpphkh.exe File opened for modification C:\Windows\SysWOW64\argztnlwrklwbkvzzhe.exe xaxybxpphkh.exe File opened for modification C:\Windows\SysWOW64\znzpgxsasigoqwef.exe xaxybxpphkh.exe File opened for modification C:\Windows\SysWOW64\nfvpkfeqmgiuakwbcljb.exe xaxybxpphkh.exe File opened for modification C:\Windows\SysWOW64\znzpgxsasigoqwef.exe xaxybxpphkh.exe File created C:\Windows\SysWOW64\znzpgxsasigoqwef.exe xaxybxpphkh.exe File created C:\Windows\SysWOW64\argztnlwrklwbkvzzhe.exe xaxybxpphkh.exe File created C:\Windows\SysWOW64\tnfbyvwkieiweqelozztlh.exe xaxybxpphkh.exe File opened for modification C:\Windows\SysWOW64\tnfbyvwkieiweqelozztlh.exe cfglr.exe File opened for modification C:\Windows\SysWOW64\znzpgxsasigoqwef.exe cfglr.exe File created C:\Windows\SysWOW64\pftlexueyqqaemwzyf.exe cfglr.exe File opened for modification C:\Windows\SysWOW64\tnfbyvwkieiweqelozztlh.exe cfglr.exe File created C:\Windows\SysWOW64\pftlexueyqqaemwzyf.exe cfglr.exe File created C:\Windows\SysWOW64\ebwvvvzqrqxozofpvjmje.ddh cfglr.exe File opened for modification C:\Windows\SysWOW64\gvizrjfohyxgjqzbz.exe xaxybxpphkh.exe File created C:\Windows\SysWOW64\znzpgxsasigoqwef.exe xaxybxpphkh.exe File created C:\Windows\SysWOW64\gvizrjfohyxgjqzbz.exe xaxybxpphkh.exe File opened for modification C:\Windows\SysWOW64\gvizrjfohyxgjqzbz.exe xaxybxpphkh.exe File created C:\Windows\SysWOW64\tnfbyvwkieiweqelozztlh.exe xaxybxpphkh.exe File created C:\Windows\SysWOW64\argztnlwrklwbkvzzhe.exe cfglr.exe File created C:\Windows\SysWOW64\cvmhdzzmjehubmzfhrqja.exe cfglr.exe File opened for modification C:\Windows\SysWOW64\nfvpkfeqmgiuakwbcljb.exe cfglr.exe File opened for modification C:\Windows\SysWOW64\zhnxitikwgyawwytkjxflvgrgiuewyuu.rih cfglr.exe File opened for modification C:\Windows\SysWOW64\tnfbyvwkieiweqelozztlh.exe xaxybxpphkh.exe File opened for modification C:\Windows\SysWOW64\znzpgxsasigoqwef.exe xaxybxpphkh.exe File created C:\Windows\SysWOW64\gvizrjfohyxgjqzbz.exe xaxybxpphkh.exe File opened for modification C:\Windows\SysWOW64\pftlexueyqqaemwzyf.exe xaxybxpphkh.exe File opened for modification C:\Windows\SysWOW64\gvizrjfohyxgjqzbz.exe xaxybxpphkh.exe File created C:\Windows\SysWOW64\pftlexueyqqaemwzyf.exe xaxybxpphkh.exe File created C:\Windows\SysWOW64\cvmhdzzmjehubmzfhrqja.exe xaxybxpphkh.exe File created C:\Windows\SysWOW64\znzpgxsasigoqwef.exe xaxybxpphkh.exe File created C:\Windows\SysWOW64\nfvpkfeqmgiuakwbcljb.exe xaxybxpphkh.exe File created C:\Windows\SysWOW64\cvmhdzzmjehubmzfhrqja.exe xaxybxpphkh.exe File created C:\Windows\SysWOW64\znzpgxsasigoqwef.exe cfglr.exe File created C:\Windows\SysWOW64\nfvpkfeqmgiuakwbcljb.exe cfglr.exe File opened for modification C:\Windows\SysWOW64\cvmhdzzmjehubmzfhrqja.exe xaxybxpphkh.exe File opened for modification C:\Windows\SysWOW64\znzpgxsasigoqwef.exe xaxybxpphkh.exe File created C:\Windows\SysWOW64\nfvpkfeqmgiuakwbcljb.exe xaxybxpphkh.exe File opened for modification C:\Windows\SysWOW64\argztnlwrklwbkvzzhe.exe cfglr.exe File opened for modification C:\Windows\SysWOW64\argztnlwrklwbkvzzhe.exe cfglr.exe File opened for modification C:\Windows\SysWOW64\cvmhdzzmjehubmzfhrqja.exe cfglr.exe -
Drops file in Program Files directory 4 IoCs
description ioc Process File opened for modification C:\Program Files (x86)\ebwvvvzqrqxozofpvjmje.ddh cfglr.exe File created C:\Program Files (x86)\ebwvvvzqrqxozofpvjmje.ddh cfglr.exe File opened for modification C:\Program Files (x86)\zhnxitikwgyawwytkjxflvgrgiuewyuu.rih cfglr.exe File created C:\Program Files (x86)\zhnxitikwgyawwytkjxflvgrgiuewyuu.rih cfglr.exe -
Drops file in Windows directory 54 IoCs
description ioc Process File opened for modification C:\Windows\cvmhdzzmjehubmzfhrqja.exe xaxybxpphkh.exe File opened for modification C:\Windows\znzpgxsasigoqwef.exe xaxybxpphkh.exe File opened for modification C:\Windows\argztnlwrklwbkvzzhe.exe xaxybxpphkh.exe File opened for modification C:\Windows\nfvpkfeqmgiuakwbcljb.exe xaxybxpphkh.exe File opened for modification C:\Windows\pftlexueyqqaemwzyf.exe cfglr.exe File opened for modification C:\Windows\znzpgxsasigoqwef.exe cfglr.exe File opened for modification C:\Windows\argztnlwrklwbkvzzhe.exe xaxybxpphkh.exe File opened for modification C:\Windows\znzpgxsasigoqwef.exe xaxybxpphkh.exe File opened for modification C:\Windows\pftlexueyqqaemwzyf.exe xaxybxpphkh.exe File opened for modification C:\Windows\gvizrjfohyxgjqzbz.exe xaxybxpphkh.exe File opened for modification C:\Windows\tnfbyvwkieiweqelozztlh.exe cfglr.exe File opened for modification C:\Windows\gvizrjfohyxgjqzbz.exe xaxybxpphkh.exe File created C:\Windows\argztnlwrklwbkvzzhe.exe xaxybxpphkh.exe File opened for modification C:\Windows\tnfbyvwkieiweqelozztlh.exe xaxybxpphkh.exe File opened for modification C:\Windows\znzpgxsasigoqwef.exe cfglr.exe File opened for modification C:\Windows\pftlexueyqqaemwzyf.exe cfglr.exe File opened for modification C:\Windows\argztnlwrklwbkvzzhe.exe cfglr.exe File opened for modification C:\Windows\zhnxitikwgyawwytkjxflvgrgiuewyuu.rih cfglr.exe File created C:\Windows\znzpgxsasigoqwef.exe xaxybxpphkh.exe File created C:\Windows\gvizrjfohyxgjqzbz.exe xaxybxpphkh.exe File created C:\Windows\nfvpkfeqmgiuakwbcljb.exe xaxybxpphkh.exe File created C:\Windows\cvmhdzzmjehubmzfhrqja.exe xaxybxpphkh.exe File created C:\Windows\zhnxitikwgyawwytkjxflvgrgiuewyuu.rih cfglr.exe File opened for modification C:\Windows\nfvpkfeqmgiuakwbcljb.exe xaxybxpphkh.exe File opened for modification C:\Windows\nfvpkfeqmgiuakwbcljb.exe xaxybxpphkh.exe File opened for modification C:\Windows\cvmhdzzmjehubmzfhrqja.exe xaxybxpphkh.exe File opened for modification C:\Windows\gvizrjfohyxgjqzbz.exe cfglr.exe File opened for modification C:\Windows\argztnlwrklwbkvzzhe.exe cfglr.exe File opened for modification C:\Windows\cvmhdzzmjehubmzfhrqja.exe cfglr.exe File opened for modification C:\Windows\cvmhdzzmjehubmzfhrqja.exe cfglr.exe File opened for modification C:\Windows\ebwvvvzqrqxozofpvjmje.ddh cfglr.exe File opened for modification C:\Windows\argztnlwrklwbkvzzhe.exe xaxybxpphkh.exe File created C:\Windows\znzpgxsasigoqwef.exe xaxybxpphkh.exe File opened for modification C:\Windows\znzpgxsasigoqwef.exe xaxybxpphkh.exe File opened for modification C:\Windows\pftlexueyqqaemwzyf.exe xaxybxpphkh.exe File created C:\Windows\pftlexueyqqaemwzyf.exe xaxybxpphkh.exe File opened for modification C:\Windows\argztnlwrklwbkvzzhe.exe xaxybxpphkh.exe File opened for modification C:\Windows\tnfbyvwkieiweqelozztlh.exe cfglr.exe File opened for modification C:\Windows\gvizrjfohyxgjqzbz.exe xaxybxpphkh.exe File opened for modification C:\Windows\pftlexueyqqaemwzyf.exe xaxybxpphkh.exe File opened for modification C:\Windows\tnfbyvwkieiweqelozztlh.exe xaxybxpphkh.exe File created C:\Windows\tnfbyvwkieiweqelozztlh.exe xaxybxpphkh.exe File opened for modification C:\Windows\nfvpkfeqmgiuakwbcljb.exe cfglr.exe File created C:\Windows\ebwvvvzqrqxozofpvjmje.ddh cfglr.exe File opened for modification C:\Windows\gvizrjfohyxgjqzbz.exe xaxybxpphkh.exe File opened for modification C:\Windows\pftlexueyqqaemwzyf.exe xaxybxpphkh.exe File opened for modification C:\Windows\nfvpkfeqmgiuakwbcljb.exe cfglr.exe File opened for modification C:\Windows\znzpgxsasigoqwef.exe xaxybxpphkh.exe File opened for modification C:\Windows\tnfbyvwkieiweqelozztlh.exe xaxybxpphkh.exe File opened for modification C:\Windows\tnfbyvwkieiweqelozztlh.exe xaxybxpphkh.exe File opened for modification C:\Windows\nfvpkfeqmgiuakwbcljb.exe xaxybxpphkh.exe File opened for modification C:\Windows\cvmhdzzmjehubmzfhrqja.exe xaxybxpphkh.exe File opened for modification C:\Windows\cvmhdzzmjehubmzfhrqja.exe xaxybxpphkh.exe File opened for modification C:\Windows\gvizrjfohyxgjqzbz.exe cfglr.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language xaxybxpphkh.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvmhdzzmjehubmzfhrqja.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language znzpgxsasigoqwef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language argztnlwrklwbkvzzhe.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language gvizrjfohyxgjqzbz.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language znzpgxsasigoqwef.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cfglr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language argztnlwrklwbkvzzhe.exe -
Modifies registry class 15 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Key created \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2828 JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe 2828 JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe 2828 JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe 2828 JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe 2828 JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe 2828 JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe 2436 cfglr.exe 2436 cfglr.exe 2828 JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe 2436 cfglr.exe 2436 cfglr.exe 2828 JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe 2828 JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe 2828 JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe 2828 JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe 2436 cfglr.exe 2436 cfglr.exe 2828 JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe 2828 JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe 2436 cfglr.exe 2436 cfglr.exe 2828 JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe 2828 JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe 2828 JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe 2828 JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe 2436 cfglr.exe 2436 cfglr.exe 2828 JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe 2828 JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe 2828 JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe 2436 cfglr.exe 2436 cfglr.exe 2828 JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe 2828 JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe 2436 cfglr.exe 2436 cfglr.exe 2828 JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe 2828 JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe 2828 JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe 2828 JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe 2436 cfglr.exe 2436 cfglr.exe 2828 JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe 2828 JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe 2828 JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe 2436 cfglr.exe 2436 cfglr.exe 2828 JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe 2828 JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe 2828 JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe 2436 cfglr.exe 2436 cfglr.exe 2828 JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe 2828 JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe 2828 JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe 2436 cfglr.exe 2436 cfglr.exe 2828 JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe 2828 JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe 2828 JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe 2436 cfglr.exe 2436 cfglr.exe 2828 JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe 2828 JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe -
Suspicious behavior: GetForegroundWindowSpam 3 IoCs
pid Process 2264 explorer.exe 1604 explorer.exe 2800 explorer.exe -
Suspicious use of AdjustPrivilegeToken 37 IoCs
description pid Process Token: SeDebugPrivilege 2436 cfglr.exe Token: SeShutdownPrivilege 2264 explorer.exe Token: SeShutdownPrivilege 2264 explorer.exe Token: SeShutdownPrivilege 2264 explorer.exe Token: SeShutdownPrivilege 2264 explorer.exe Token: SeShutdownPrivilege 2264 explorer.exe Token: SeShutdownPrivilege 2264 explorer.exe Token: SeShutdownPrivilege 2264 explorer.exe Token: SeShutdownPrivilege 2264 explorer.exe Token: SeShutdownPrivilege 2264 explorer.exe Token: SeShutdownPrivilege 2264 explorer.exe Token: SeShutdownPrivilege 2264 explorer.exe Token: SeShutdownPrivilege 2264 explorer.exe Token: SeShutdownPrivilege 1604 explorer.exe Token: SeShutdownPrivilege 1604 explorer.exe Token: SeShutdownPrivilege 1604 explorer.exe Token: SeShutdownPrivilege 1604 explorer.exe Token: SeShutdownPrivilege 1604 explorer.exe Token: SeShutdownPrivilege 1604 explorer.exe Token: SeShutdownPrivilege 1604 explorer.exe Token: SeShutdownPrivilege 1604 explorer.exe Token: SeShutdownPrivilege 1604 explorer.exe Token: SeShutdownPrivilege 1604 explorer.exe Token: SeShutdownPrivilege 1604 explorer.exe Token: SeShutdownPrivilege 1604 explorer.exe Token: SeShutdownPrivilege 2800 explorer.exe Token: SeShutdownPrivilege 2800 explorer.exe Token: SeShutdownPrivilege 2800 explorer.exe Token: SeShutdownPrivilege 2800 explorer.exe Token: SeShutdownPrivilege 2800 explorer.exe Token: SeShutdownPrivilege 2800 explorer.exe Token: SeShutdownPrivilege 2800 explorer.exe Token: SeShutdownPrivilege 2800 explorer.exe Token: SeShutdownPrivilege 2800 explorer.exe Token: SeShutdownPrivilege 2800 explorer.exe Token: SeShutdownPrivilege 2800 explorer.exe Token: SeShutdownPrivilege 2800 explorer.exe -
Suspicious use of FindShellTrayWindow 64 IoCs
pid Process 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 1604 explorer.exe 1604 explorer.exe 1604 explorer.exe 1604 explorer.exe 1604 explorer.exe 1604 explorer.exe 1604 explorer.exe 1604 explorer.exe 1604 explorer.exe 1604 explorer.exe 1604 explorer.exe 1604 explorer.exe 1604 explorer.exe 1604 explorer.exe 1604 explorer.exe 1604 explorer.exe 1604 explorer.exe 1604 explorer.exe 1604 explorer.exe 1604 explorer.exe 1604 explorer.exe 1604 explorer.exe 1604 explorer.exe 1604 explorer.exe 2800 explorer.exe 2800 explorer.exe 2800 explorer.exe 2800 explorer.exe 2800 explorer.exe 2800 explorer.exe 2800 explorer.exe 2800 explorer.exe 2800 explorer.exe 2800 explorer.exe 2800 explorer.exe 2800 explorer.exe 2800 explorer.exe 2800 explorer.exe 2800 explorer.exe 2800 explorer.exe -
Suspicious use of SendNotifyMessage 60 IoCs
pid Process 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 2264 explorer.exe 1604 explorer.exe 1604 explorer.exe 1604 explorer.exe 1604 explorer.exe 1604 explorer.exe 1604 explorer.exe 1604 explorer.exe 1604 explorer.exe 1604 explorer.exe 1604 explorer.exe 1604 explorer.exe 1604 explorer.exe 1604 explorer.exe 1604 explorer.exe 1604 explorer.exe 1604 explorer.exe 1604 explorer.exe 1604 explorer.exe 1604 explorer.exe 1604 explorer.exe 2800 explorer.exe 2800 explorer.exe 2800 explorer.exe 2800 explorer.exe 2800 explorer.exe 2800 explorer.exe 2800 explorer.exe 2800 explorer.exe 2800 explorer.exe 2800 explorer.exe 2800 explorer.exe 2800 explorer.exe 2800 explorer.exe 2800 explorer.exe 2800 explorer.exe 2800 explorer.exe 2800 explorer.exe 2800 explorer.exe 2800 explorer.exe 2800 explorer.exe -
Suspicious use of WriteProcessMemory 60 IoCs
description pid Process procid_target PID 2828 wrote to memory of 2832 2828 JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe 31 PID 2828 wrote to memory of 2832 2828 JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe 31 PID 2828 wrote to memory of 2832 2828 JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe 31 PID 2828 wrote to memory of 2832 2828 JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe 31 PID 2832 wrote to memory of 2436 2832 xaxybxpphkh.exe 32 PID 2832 wrote to memory of 2436 2832 xaxybxpphkh.exe 32 PID 2832 wrote to memory of 2436 2832 xaxybxpphkh.exe 32 PID 2832 wrote to memory of 2436 2832 xaxybxpphkh.exe 32 PID 2832 wrote to memory of 2524 2832 xaxybxpphkh.exe 33 PID 2832 wrote to memory of 2524 2832 xaxybxpphkh.exe 33 PID 2832 wrote to memory of 2524 2832 xaxybxpphkh.exe 33 PID 2832 wrote to memory of 2524 2832 xaxybxpphkh.exe 33 PID 2264 wrote to memory of 2528 2264 explorer.exe 35 PID 2264 wrote to memory of 2528 2264 explorer.exe 35 PID 2264 wrote to memory of 2528 2264 explorer.exe 35 PID 2264 wrote to memory of 2528 2264 explorer.exe 35 PID 2264 wrote to memory of 2348 2264 explorer.exe 36 PID 2264 wrote to memory of 2348 2264 explorer.exe 36 PID 2264 wrote to memory of 2348 2264 explorer.exe 36 PID 2264 wrote to memory of 2348 2264 explorer.exe 36 PID 2528 wrote to memory of 1044 2528 argztnlwrklwbkvzzhe.exe 37 PID 2528 wrote to memory of 1044 2528 argztnlwrklwbkvzzhe.exe 37 PID 2528 wrote to memory of 1044 2528 argztnlwrklwbkvzzhe.exe 37 PID 2528 wrote to memory of 1044 2528 argztnlwrklwbkvzzhe.exe 37 PID 2348 wrote to memory of 2020 2348 cvmhdzzmjehubmzfhrqja.exe 38 PID 2348 wrote to memory of 2020 2348 cvmhdzzmjehubmzfhrqja.exe 38 PID 2348 wrote to memory of 2020 2348 cvmhdzzmjehubmzfhrqja.exe 38 PID 2348 wrote to memory of 2020 2348 cvmhdzzmjehubmzfhrqja.exe 38 PID 1604 wrote to memory of 2568 1604 explorer.exe 41 PID 1604 wrote to memory of 2568 1604 explorer.exe 41 PID 1604 wrote to memory of 2568 1604 explorer.exe 41 PID 1604 wrote to memory of 2568 1604 explorer.exe 41 PID 1604 wrote to memory of 2596 1604 explorer.exe 42 PID 1604 wrote to memory of 2596 1604 explorer.exe 42 PID 1604 wrote to memory of 2596 1604 explorer.exe 42 PID 1604 wrote to memory of 2596 1604 explorer.exe 42 PID 2596 wrote to memory of 2892 2596 znzpgxsasigoqwef.exe 44 PID 2596 wrote to memory of 2892 2596 znzpgxsasigoqwef.exe 44 PID 2596 wrote to memory of 2892 2596 znzpgxsasigoqwef.exe 44 PID 2596 wrote to memory of 2892 2596 znzpgxsasigoqwef.exe 44 PID 2568 wrote to memory of 2812 2568 argztnlwrklwbkvzzhe.exe 45 PID 2568 wrote to memory of 2812 2568 argztnlwrklwbkvzzhe.exe 45 PID 2568 wrote to memory of 2812 2568 argztnlwrklwbkvzzhe.exe 45 PID 2568 wrote to memory of 2812 2568 argztnlwrklwbkvzzhe.exe 45 PID 2800 wrote to memory of 2388 2800 explorer.exe 47 PID 2800 wrote to memory of 2388 2800 explorer.exe 47 PID 2800 wrote to memory of 2388 2800 explorer.exe 47 PID 2800 wrote to memory of 2388 2800 explorer.exe 47 PID 2800 wrote to memory of 1404 2800 explorer.exe 48 PID 2800 wrote to memory of 1404 2800 explorer.exe 48 PID 2800 wrote to memory of 1404 2800 explorer.exe 48 PID 2800 wrote to memory of 1404 2800 explorer.exe 48 PID 2388 wrote to memory of 2740 2388 znzpgxsasigoqwef.exe 49 PID 2388 wrote to memory of 2740 2388 znzpgxsasigoqwef.exe 49 PID 2388 wrote to memory of 2740 2388 znzpgxsasigoqwef.exe 49 PID 2388 wrote to memory of 2740 2388 znzpgxsasigoqwef.exe 49 PID 1404 wrote to memory of 380 1404 gvizrjfohyxgjqzbz.exe 50 PID 1404 wrote to memory of 380 1404 gvizrjfohyxgjqzbz.exe 50 PID 1404 wrote to memory of 380 1404 gvizrjfohyxgjqzbz.exe 50 PID 1404 wrote to memory of 380 1404 gvizrjfohyxgjqzbz.exe 50 -
System policy modification 1 TTPs 42 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" cfglr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" xaxybxpphkh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" xaxybxpphkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cfglr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xaxybxpphkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System cfglr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" xaxybxpphkh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" xaxybxpphkh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" xaxybxpphkh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" cfglr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" cfglr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" cfglr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0" cfglr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System xaxybxpphkh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" cfglr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" cfglr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System xaxybxpphkh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0" xaxybxpphkh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" xaxybxpphkh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" cfglr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" cfglr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" cfglr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" cfglr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xaxybxpphkh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xaxybxpphkh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0" cfglr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cfglr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" cfglr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" cfglr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" cfglr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0" cfglr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer cfglr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1" cfglr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System xaxybxpphkh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0" xaxybxpphkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer xaxybxpphkh.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer cfglr.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System xaxybxpphkh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0" xaxybxpphkh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0" xaxybxpphkh.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" cfglr.exe Set value (int) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0" cfglr.exe -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8a37689689c2c8072ce71dc9eaee9278.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2828 -
C:\Users\Admin\AppData\Local\Temp\xaxybxpphkh.exe"C:\Users\Admin\AppData\Local\Temp\xaxybxpphkh.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_8a37689689c2c8072ce71dc9eaee9278.exe*"2⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2832 -
C:\Users\Admin\AppData\Local\Temp\cfglr.exe"C:\Users\Admin\AppData\Local\Temp\cfglr.exe" "-C:\Users\Admin\AppData\Local\Temp\znzpgxsasigoqwef.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Impair Defenses: Safe Mode Boot
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Program Files directory
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- System policy modification
PID:2436
-
-
C:\Users\Admin\AppData\Local\Temp\cfglr.exe"C:\Users\Admin\AppData\Local\Temp\cfglr.exe" "-C:\Users\Admin\AppData\Local\Temp\znzpgxsasigoqwef.exe"3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Hijack Execution Flow: Executable Installer File Permissions Weakness
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2524
-
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2264 -
C:\Windows\argztnlwrklwbkvzzhe.exe"C:\Windows\argztnlwrklwbkvzzhe.exe" .2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2528 -
C:\Users\Admin\AppData\Local\Temp\xaxybxpphkh.exe"C:\Users\Admin\AppData\Local\Temp\xaxybxpphkh.exe" "c:\windows\argztnlwrklwbkvzzhe.exe*."3⤵
- Executes dropped EXE
PID:1044
-
-
-
C:\Users\Admin\AppData\Local\Temp\cvmhdzzmjehubmzfhrqja.exe"C:\Users\Admin\AppData\Local\Temp\cvmhdzzmjehubmzfhrqja.exe" .2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2348 -
C:\Users\Admin\AppData\Local\Temp\xaxybxpphkh.exe"C:\Users\Admin\AppData\Local\Temp\xaxybxpphkh.exe" "c:\users\admin\appdata\local\temp\cvmhdzzmjehubmzfhrqja.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2020
-
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Windows\argztnlwrklwbkvzzhe.exe"C:\Windows\argztnlwrklwbkvzzhe.exe" .2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Users\Admin\AppData\Local\Temp\xaxybxpphkh.exe"C:\Users\Admin\AppData\Local\Temp\xaxybxpphkh.exe" "c:\windows\argztnlwrklwbkvzzhe.exe*."3⤵
- Executes dropped EXE
PID:2812
-
-
-
C:\Users\Admin\AppData\Local\Temp\znzpgxsasigoqwef.exe"C:\Users\Admin\AppData\Local\Temp\znzpgxsasigoqwef.exe" .2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Users\Admin\AppData\Local\Temp\xaxybxpphkh.exe"C:\Users\Admin\AppData\Local\Temp\xaxybxpphkh.exe" "c:\users\admin\appdata\local\temp\znzpgxsasigoqwef.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2892
-
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2800 -
C:\Windows\znzpgxsasigoqwef.exe"C:\Windows\znzpgxsasigoqwef.exe" .2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2388 -
C:\Users\Admin\AppData\Local\Temp\xaxybxpphkh.exe"C:\Users\Admin\AppData\Local\Temp\xaxybxpphkh.exe" "c:\windows\znzpgxsasigoqwef.exe*."3⤵
- Modifies WinLogon for persistence
- UAC bypass
- Adds policy Run key to start application
- Executes dropped EXE
- Adds Run key to start application
- Checks whether UAC is enabled
- Drops file in System32 directory
- Drops file in Windows directory
- System policy modification
PID:2740
-
-
-
C:\Users\Admin\AppData\Local\Temp\gvizrjfohyxgjqzbz.exe"C:\Users\Admin\AppData\Local\Temp\gvizrjfohyxgjqzbz.exe" .2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Users\Admin\AppData\Local\Temp\xaxybxpphkh.exe"C:\Users\Admin\AppData\Local\Temp\xaxybxpphkh.exe" "c:\users\admin\appdata\local\temp\gvizrjfohyxgjqzbz.exe*."3⤵
- Executes dropped EXE
PID:380
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
4Active Setup
1Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Privilege Escalation
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Boot or Logon Autostart Execution
4Active Setup
1Registry Run Keys / Startup Folder
2Winlogon Helper DLL
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Defense Evasion
Abuse Elevation Control Mechanism
1Bypass User Account Control
1Hijack Execution Flow
1Executable Installer File Permissions Weakness
1Impair Defenses
2Disable or Modify Tools
1Safe Mode Boot
1Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
260B
MD55c9a569a7acea7d9181f8f06246fcaac
SHA105a93ec6a16cad87e1d71dd4363adb0a8a5d9f10
SHA2562263dc35691e1ce62a3491b403c78da4e89d1e8d4a74669464acb8c8d43918b3
SHA51235d19d00da6b6cc883ef0152307db1f6cfe6a2ec1c5d21df6d9c3a4dd763866b853aa40267c1100f53dde296c3968b313a6bb5aa0435f9b97a05b4fcb9528be4
-
Filesize
3KB
MD561c6d95154edff60e7f1d4761b20ccc2
SHA125bbdce1332500d4f5adf2dd648b458936f0d017
SHA25672dc35bdd6bb33014874bf29b62be78f9af46d32f8c6d0ea2688e8b32c236a0c
SHA5123cac63b8f79a0b5daa8b5aa93b3258350d119a36b1c78ebbb4db6ef1afa173ea7e99d9cf0dc717f945c50cc3b98981b5cf10f910b67ca662c56e53d2a38d427a
-
Filesize
512KB
MD58a37689689c2c8072ce71dc9eaee9278
SHA19f4b5397777e2740b9c42f5df71eeb143854dd0a
SHA256a8b7dd0803b23353719c57aa2a57b6124e5aceb16da43b803b146f4e28a1f921
SHA512d30f59e78c4134770d16ebb8e56d280e21dd221fa43b4a9b604e438b0f3a67d2ec86dae029509b94e5e5b64d92c64f71df6b66643e034384df5b5f8158930191
-
Filesize
700KB
MD5a240c9f0bf01eb4603b0893687f49a4a
SHA1bebea068de0baf9a422a47544d564f2ee75e95ba
SHA256f457bdbdec587cbc91af9138adf8c0ce67eabb9f8bad7861c500ae63a8a8d1ed
SHA51279934fbbdca9d7da013d340c8d1bf8ec9c04671d3d109c3ed56ccae7e29eb14349a2084e9436a30f6209baa61a78697f0e2febff0f13ac58d886fe86d1faf6f8
-
Filesize
320KB
MD5304415df6ad55a90301aa8158e5e3582
SHA1cc20ee7d5e8607f4fa0633093083ec0a68dcf3cd
SHA25634a5f9e2b494b086abad2721019be271fa43350c9146f000e50fe554f170743d
SHA5124ef2a9a8a3b36ba8c40a0bda9de415c76f985da34475f9110f7fe7b70a8e235d66ec6e15f76b45c5f75f5594fe05051d8112745e5031a18c817bd5d86212c687