pykspa | 126804dd7e7c5b137beee74e61e9be1bda1f98237d47653e27a5d84838d221dd

Analysis

max time kernel
22s
max time network
38s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29/03/2025, 17:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe
Size

600KB
MD5

8e0598bce0b73645c97c9f7db2559c67
SHA1

bc9a5043bf0c7ea5f476f02b350d700c333b773f
SHA256

126804dd7e7c5b137beee74e61e9be1bda1f98237d47653e27a5d84838d221dd
SHA512

54f62747968fdfb5a136947c70e49f30795f4ceba86aeb9ed2789e82c38c3be89e5305b2678ccf7bd88b898bfc3c38de8efc8f44fa1c7a464defb61133044b31
SSDEEP

6144:Jj6/wndfF/gl0LQIk8DR3dEuAI7pEfxsZozAm9TMdGQLUg1nYmefPImdrion:56onxOp8FySpE5zvIdtU+Ymef

Score

10^/10

pykspa defense_evasion discovery persistence privilege_escalation trojan worm

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 4 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvtgxqufefd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	yjnscdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	yjnscdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	uvtgxqufefd.exe

Pykspa
Pykspa is a worm spreads via Skype uses DGA and it's written in C++.
worm pykspa
Pykspa family
pykspa

UAC bypass 3 TTPs 13 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	yjnscdn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	yjnscdn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	yjnscdn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	uvtgxqufefd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	uvtgxqufefd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	uvtgxqufefd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	yjnscdn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	yjnscdn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvtgxqufefd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvtgxqufefd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	yjnscdn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	yjnscdn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	yjnscdn.exe

Detect Pykspa worm 2 IoCs

worm

resource	yara_rule
behavioral1/files/0x000a00000001227e-2.dat	family_pykspa
behavioral1/files/0x0005000000019350-61.dat	family_pykspa

Adds policy Run key to start application 2 TTPs 15 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ajlow = "C:\\Users\\Admin\\AppData\\Local\\Temp\\azrkixvsneepxuvymhonf.exe"	yjnscdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	yjnscdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nzekvxis = "njyojvqkcqnvaussdv.exe"	yjnscdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	uvtgxqufefd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	uvtgxqufefd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ajlow = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ljaspdawqgfpwssuhbhf.exe"	yjnscdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nzekvxis = "njyojvqkcqnvaussdv.exe"	uvtgxqufefd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ajlow = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xreslvogwidjmeay.exe"	uvtgxqufefd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	yjnscdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nzekvxis = "ezncwhbulyubfyvue.exe"	yjnscdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nzekvxis = "yvlcylhcvkirxsrsexc.exe"	yjnscdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ajlow = "C:\\Users\\Admin\\AppData\\Local\\Temp\\njyojvqkcqnvaussdv.exe"	yjnscdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\nzekvxis = "yvlcylhcvkirxsrsexc.exe"	uvtgxqufefd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ajlow = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xreslvogwidjmeay.exe"	uvtgxqufefd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ajlow = "C:\\Users\\Admin\\AppData\\Local\\Temp\\azrkixvsneepxuvymhonf.exe"	yjnscdn.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Disables RegEdit via registry modification 6 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	yjnscdn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	yjnscdn.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	uvtgxqufefd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	uvtgxqufefd.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	yjnscdn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	yjnscdn.exe

Executes dropped EXE 7 IoCs

pid	Process
2776	uvtgxqufefd.exe
1796	yjnscdn.exe
2076	yjnscdn.exe
2400	yvlcylhcvkirxsrsexc.exe
1900	azrkixvsneepxuvymhonf.exe
2120	uvtgxqufefd.exe
2160	uvtgxqufefd.exe

Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend	yjnscdn.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	yjnscdn.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	yjnscdn.exe

Loads dropped DLL 10 IoCs

pid	Process
2764	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe
2764	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe
2776	uvtgxqufefd.exe
2776	uvtgxqufefd.exe
2776	uvtgxqufefd.exe
2776	uvtgxqufefd.exe
2400	yvlcylhcvkirxsrsexc.exe
2400	yvlcylhcvkirxsrsexc.exe
1900	azrkixvsneepxuvymhonf.exe
1900	azrkixvsneepxuvymhonf.exe

Adds Run key to start application 2 TTPs 45 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lvycll = "njyojvqkcqnvaussdv.exe"	yjnscdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\yjnscdn = "xreslvogwidjmeay.exe ."	yjnscdn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\xlsanreqag = "njyojvqkcqnvaussdv.exe ."	uvtgxqufefd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\pfoyntiwiqhj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xreslvogwidjmeay.exe"	uvtgxqufefd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\pfoyntiwiqhj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\njyojvqkcqnvaussdv.exe"	yjnscdn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\lvycll = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xreslvogwidjmeay.exe"	uvtgxqufefd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\lvycll = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yvlcylhcvkirxsrsexc.exe"	yjnscdn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\yjnscdn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xreslvogwidjmeay.exe ."	yjnscdn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\lvycll = "C:\\Users\\Admin\\AppData\\Local\\Temp\\azrkixvsneepxuvymhonf.exe"	uvtgxqufefd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\yjnscdn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\azrkixvsneepxuvymhonf.exe ."	yjnscdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\yjnscdn = "njyojvqkcqnvaussdv.exe ."	yjnscdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\yjnscdn = "ljaspdawqgfpwssuhbhf.exe ."	uvtgxqufefd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\xlsanreqag = "yvlcylhcvkirxsrsexc.exe ."	yjnscdn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\yjnscdn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\azrkixvsneepxuvymhonf.exe ."	uvtgxqufefd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\xlsanreqag = "xreslvogwidjmeay.exe ."	yjnscdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\shpymrfsdka = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ljaspdawqgfpwssuhbhf.exe ."	uvtgxqufefd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\yjnscdn = "xreslvogwidjmeay.exe ."	yjnscdn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\erxeqtfqz = "xreslvogwidjmeay.exe"	yjnscdn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\yjnscdn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\yvlcylhcvkirxsrsexc.exe ."	yjnscdn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\erxeqtfqz = "xreslvogwidjmeay.exe"	uvtgxqufefd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lvycll = "ljaspdawqgfpwssuhbhf.exe"	yjnscdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\shpymrfsdka = "C:\\Users\\Admin\\AppData\\Local\\Temp\\njyojvqkcqnvaussdv.exe ."	uvtgxqufefd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\shpymrfsdka = "C:\\Users\\Admin\\AppData\\Local\\Temp\\azrkixvsneepxuvymhonf.exe ."	yjnscdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\shpymrfsdka = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xreslvogwidjmeay.exe ."	yjnscdn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\erxeqtfqz = "xreslvogwidjmeay.exe"	yjnscdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\shpymrfsdka = "C:\\Users\\Admin\\AppData\\Local\\Temp\\azrkixvsneepxuvymhonf.exe ."	yjnscdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\pfoyntiwiqhj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ljaspdawqgfpwssuhbhf.exe"	uvtgxqufefd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\yjnscdn = "C:\\Users\\Admin\\AppData\\Local\\Temp\\azrkixvsneepxuvymhonf.exe ."	uvtgxqufefd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lvycll = "yvlcylhcvkirxsrsexc.exe"	yjnscdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lvycll = "yvlcylhcvkirxsrsexc.exe"	uvtgxqufefd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\erxeqtfqz = "ezncwhbulyubfyvue.exe"	yjnscdn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\xlsanreqag = "njyojvqkcqnvaussdv.exe ."	yjnscdn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\erxeqtfqz = "njyojvqkcqnvaussdv.exe"	uvtgxqufefd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\xlsanreqag = "ezncwhbulyubfyvue.exe ."	uvtgxqufefd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\xlsanreqag = "ljaspdawqgfpwssuhbhf.exe ."	yjnscdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\pfoyntiwiqhj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xreslvogwidjmeay.exe"	yjnscdn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\lvycll = "C:\\Users\\Admin\\AppData\\Local\\Temp\\azrkixvsneepxuvymhonf.exe"	yjnscdn.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\lvycll = "C:\\Users\\Admin\\AppData\\Local\\Temp\\ezncwhbulyubfyvue.exe"	yjnscdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lvycll = "xreslvogwidjmeay.exe"	yjnscdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\shpymrfsdka = "C:\\Users\\Admin\\AppData\\Local\\Temp\\njyojvqkcqnvaussdv.exe ."	yjnscdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\lvycll = "xreslvogwidjmeay.exe"	uvtgxqufefd.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\erxeqtfqz = "azrkixvsneepxuvymhonf.exe"	yjnscdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\pfoyntiwiqhj = "C:\\Users\\Admin\\AppData\\Local\\Temp\\njyojvqkcqnvaussdv.exe"	yjnscdn.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\yjnscdn = "njyojvqkcqnvaussdv.exe ."	uvtgxqufefd.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\yjnscdn = "azrkixvsneepxuvymhonf.exe ."	yjnscdn.exe

Checks whether UAC is enabled 1 TTPs 8 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvtgxqufefd.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvtgxqufefd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	yjnscdn.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	yjnscdn.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	uvtgxqufefd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	yjnscdn.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	yjnscdn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvtgxqufefd.exe

Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs

Possible Turn off User Account Control's privilege elevation for standard users.

defense_evasion persistence privilege_escalation

Executable Installer File Permissions Weakness

T1574.005

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	uvtgxqufefd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	yjnscdn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	yjnscdn.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	whatismyip.everdot.org
4	whatismyipaddress.com
6	www.showmyipaddress.com

Drops file in System32 directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\ljaspdawqgfpwssuhbhf.exe	uvtgxqufefd.exe
File opened for modification	C:\Windows\SysWOW64\ljaspdawqgfpwssuhbhf.exe	yjnscdn.exe
File opened for modification	C:\Windows\SysWOW64\yvlcylhcvkirxsrsexc.exe	yjnscdn.exe
File opened for modification	C:\Windows\SysWOW64\xreslvogwidjmeay.exe	uvtgxqufefd.exe
File opened for modification	C:\Windows\SysWOW64\rrkedtsqmefrayaetpxxqk.exe	uvtgxqufefd.exe
File opened for modification	C:\Windows\SysWOW64\xreslvogwidjmeay.exe	yjnscdn.exe
File opened for modification	C:\Windows\SysWOW64\yvlcylhcvkirxsrsexc.exe	uvtgxqufefd.exe
File opened for modification	C:\Windows\SysWOW64\ezncwhbulyubfyvue.exe	yjnscdn.exe
File opened for modification	C:\Windows\SysWOW64\rrkedtsqmefrayaetpxxqk.exe	yjnscdn.exe
File opened for modification	C:\Windows\SysWOW64\ezncwhbulyubfyvue.exe	yjnscdn.exe
File opened for modification	C:\Windows\SysWOW64\slxkcldujuotvmhembcvhumvneteydfwrowlm.rew	yjnscdn.exe
File opened for modification	C:\Windows\SysWOW64\njyojvqkcqnvaussdv.exe	uvtgxqufefd.exe
File opened for modification	C:\Windows\SysWOW64\xreslvogwidjmeay.exe	yjnscdn.exe
File opened for modification	C:\Windows\SysWOW64\azrkixvsneepxuvymhonf.exe	yjnscdn.exe
File created	C:\Windows\SysWOW64\rzacjhouyyhbsyiurvltuwdbio.sbv	yjnscdn.exe
File opened for modification	C:\Windows\SysWOW64\ljaspdawqgfpwssuhbhf.exe	uvtgxqufefd.exe
File opened for modification	C:\Windows\SysWOW64\azrkixvsneepxuvymhonf.exe	uvtgxqufefd.exe
File opened for modification	C:\Windows\SysWOW64\njyojvqkcqnvaussdv.exe	uvtgxqufefd.exe
File opened for modification	C:\Windows\SysWOW64\njyojvqkcqnvaussdv.exe	yjnscdn.exe
File opened for modification	C:\Windows\SysWOW64\njyojvqkcqnvaussdv.exe	yjnscdn.exe
File opened for modification	C:\Windows\SysWOW64\xreslvogwidjmeay.exe	uvtgxqufefd.exe
File opened for modification	C:\Windows\SysWOW64\ezncwhbulyubfyvue.exe	uvtgxqufefd.exe
File opened for modification	C:\Windows\SysWOW64\yvlcylhcvkirxsrsexc.exe	yjnscdn.exe
File opened for modification	C:\Windows\SysWOW64\azrkixvsneepxuvymhonf.exe	uvtgxqufefd.exe
File opened for modification	C:\Windows\SysWOW64\ljaspdawqgfpwssuhbhf.exe	yjnscdn.exe
File opened for modification	C:\Windows\SysWOW64\rrkedtsqmefrayaetpxxqk.exe	yjnscdn.exe
File created	C:\Windows\SysWOW64\slxkcldujuotvmhembcvhumvneteydfwrowlm.rew	yjnscdn.exe
File opened for modification	C:\Windows\SysWOW64\yvlcylhcvkirxsrsexc.exe	uvtgxqufefd.exe
File opened for modification	C:\Windows\SysWOW64\rrkedtsqmefrayaetpxxqk.exe	uvtgxqufefd.exe
File opened for modification	C:\Windows\SysWOW64\ezncwhbulyubfyvue.exe	uvtgxqufefd.exe
File opened for modification	C:\Windows\SysWOW64\azrkixvsneepxuvymhonf.exe	yjnscdn.exe
File opened for modification	C:\Windows\SysWOW64\rzacjhouyyhbsyiurvltuwdbio.sbv	yjnscdn.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\rzacjhouyyhbsyiurvltuwdbio.sbv	yjnscdn.exe
File created	C:\Program Files (x86)\rzacjhouyyhbsyiurvltuwdbio.sbv	yjnscdn.exe
File opened for modification	C:\Program Files (x86)\slxkcldujuotvmhembcvhumvneteydfwrowlm.rew	yjnscdn.exe
File created	C:\Program Files (x86)\slxkcldujuotvmhembcvhumvneteydfwrowlm.rew	yjnscdn.exe

Drops file in Windows directory 32 IoCs

description	ioc	Process
File opened for modification	C:\Windows\xreslvogwidjmeay.exe	yjnscdn.exe
File opened for modification	C:\Windows\slxkcldujuotvmhembcvhumvneteydfwrowlm.rew	yjnscdn.exe
File opened for modification	C:\Windows\ljaspdawqgfpwssuhbhf.exe	uvtgxqufefd.exe
File opened for modification	C:\Windows\ljaspdawqgfpwssuhbhf.exe	uvtgxqufefd.exe
File opened for modification	C:\Windows\azrkixvsneepxuvymhonf.exe	uvtgxqufefd.exe
File opened for modification	C:\Windows\njyojvqkcqnvaussdv.exe	yjnscdn.exe
File opened for modification	C:\Windows\azrkixvsneepxuvymhonf.exe	yjnscdn.exe
File opened for modification	C:\Windows\rzacjhouyyhbsyiurvltuwdbio.sbv	yjnscdn.exe
File opened for modification	C:\Windows\rrkedtsqmefrayaetpxxqk.exe	uvtgxqufefd.exe
File opened for modification	C:\Windows\ezncwhbulyubfyvue.exe	uvtgxqufefd.exe
File opened for modification	C:\Windows\yvlcylhcvkirxsrsexc.exe	yjnscdn.exe
File opened for modification	C:\Windows\yvlcylhcvkirxsrsexc.exe	yjnscdn.exe
File opened for modification	C:\Windows\xreslvogwidjmeay.exe	uvtgxqufefd.exe
File opened for modification	C:\Windows\njyojvqkcqnvaussdv.exe	uvtgxqufefd.exe
File opened for modification	C:\Windows\ezncwhbulyubfyvue.exe	yjnscdn.exe
File created	C:\Windows\rzacjhouyyhbsyiurvltuwdbio.sbv	yjnscdn.exe
File opened for modification	C:\Windows\yvlcylhcvkirxsrsexc.exe	uvtgxqufefd.exe
File opened for modification	C:\Windows\azrkixvsneepxuvymhonf.exe	uvtgxqufefd.exe
File opened for modification	C:\Windows\ezncwhbulyubfyvue.exe	yjnscdn.exe
File opened for modification	C:\Windows\xreslvogwidjmeay.exe	uvtgxqufefd.exe
File opened for modification	C:\Windows\ezncwhbulyubfyvue.exe	uvtgxqufefd.exe
File opened for modification	C:\Windows\njyojvqkcqnvaussdv.exe	uvtgxqufefd.exe
File opened for modification	C:\Windows\yvlcylhcvkirxsrsexc.exe	uvtgxqufefd.exe
File opened for modification	C:\Windows\azrkixvsneepxuvymhonf.exe	yjnscdn.exe
File opened for modification	C:\Windows\rrkedtsqmefrayaetpxxqk.exe	yjnscdn.exe
File opened for modification	C:\Windows\rrkedtsqmefrayaetpxxqk.exe	yjnscdn.exe
File opened for modification	C:\Windows\rrkedtsqmefrayaetpxxqk.exe	uvtgxqufefd.exe
File opened for modification	C:\Windows\xreslvogwidjmeay.exe	yjnscdn.exe
File opened for modification	C:\Windows\ljaspdawqgfpwssuhbhf.exe	yjnscdn.exe
File opened for modification	C:\Windows\ljaspdawqgfpwssuhbhf.exe	yjnscdn.exe
File opened for modification	C:\Windows\njyojvqkcqnvaussdv.exe	yjnscdn.exe
File created	C:\Windows\slxkcldujuotvmhembcvhumvneteydfwrowlm.rew	yjnscdn.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 5 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yjnscdn.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	azrkixvsneepxuvymhonf.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	yvlcylhcvkirxsrsexc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	uvtgxqufefd.exe

Modifies registry class 5 IoCs

description	ioc	Process
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_Classes\Local Settings	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe

Suspicious behavior: EnumeratesProcesses 33 IoCs

pid	Process
2764	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe
2764	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe
2764	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe
2764	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe
2764	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe
2764	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe
1796	yjnscdn.exe
1796	yjnscdn.exe
2764	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe
1796	yjnscdn.exe
1796	yjnscdn.exe
2764	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe
2764	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe
2764	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe
1796	yjnscdn.exe
1796	yjnscdn.exe
2764	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe
2764	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe
1796	yjnscdn.exe
1796	yjnscdn.exe
2764	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe
2764	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe
2764	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe
1796	yjnscdn.exe
1796	yjnscdn.exe
2764	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe
2764	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe
2764	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe
1796	yjnscdn.exe
1796	yjnscdn.exe
2764	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe
2764	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe
2764	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2988	explorer.exe

Suspicious use of AdjustPrivilegeToken 13 IoCs

description	pid	Process
Token: SeDebugPrivilege	1796	yjnscdn.exe
Token: SeShutdownPrivilege	2988	explorer.exe
Token: SeShutdownPrivilege	2988	explorer.exe
Token: SeShutdownPrivilege	2988	explorer.exe
Token: SeShutdownPrivilege	2988	explorer.exe
Token: SeShutdownPrivilege	2988	explorer.exe
Token: SeShutdownPrivilege	2988	explorer.exe
Token: SeShutdownPrivilege	2988	explorer.exe
Token: SeShutdownPrivilege	2988	explorer.exe
Token: SeShutdownPrivilege	2988	explorer.exe
Token: SeShutdownPrivilege	2988	explorer.exe
Token: SeShutdownPrivilege	2988	explorer.exe
Token: SeShutdownPrivilege	2988	explorer.exe

Suspicious use of FindShellTrayWindow 24 IoCs

pid	Process
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe

Suspicious use of SendNotifyMessage 20 IoCs

pid	Process
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe
2988	explorer.exe

Suspicious use of WriteProcessMemory 28 IoCs

description	pid	Process	procid_target
PID 2764 wrote to memory of 2776	2764	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe	30
PID 2764 wrote to memory of 2776	2764	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe	30
PID 2764 wrote to memory of 2776	2764	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe	30
PID 2764 wrote to memory of 2776	2764	JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe	30
PID 2776 wrote to memory of 1796	2776	uvtgxqufefd.exe	31
PID 2776 wrote to memory of 1796	2776	uvtgxqufefd.exe	31
PID 2776 wrote to memory of 1796	2776	uvtgxqufefd.exe	31
PID 2776 wrote to memory of 1796	2776	uvtgxqufefd.exe	31
PID 2776 wrote to memory of 2076	2776	uvtgxqufefd.exe	32
PID 2776 wrote to memory of 2076	2776	uvtgxqufefd.exe	32
PID 2776 wrote to memory of 2076	2776	uvtgxqufefd.exe	32
PID 2776 wrote to memory of 2076	2776	uvtgxqufefd.exe	32
PID 2988 wrote to memory of 2400	2988	explorer.exe	34
PID 2988 wrote to memory of 2400	2988	explorer.exe	34
PID 2988 wrote to memory of 2400	2988	explorer.exe	34
PID 2988 wrote to memory of 2400	2988	explorer.exe	34
PID 2988 wrote to memory of 1900	2988	explorer.exe	35
PID 2988 wrote to memory of 1900	2988	explorer.exe	35
PID 2988 wrote to memory of 1900	2988	explorer.exe	35
PID 2988 wrote to memory of 1900	2988	explorer.exe	35
PID 2400 wrote to memory of 2120	2400	yvlcylhcvkirxsrsexc.exe	36
PID 2400 wrote to memory of 2120	2400	yvlcylhcvkirxsrsexc.exe	36
PID 2400 wrote to memory of 2120	2400	yvlcylhcvkirxsrsexc.exe	36
PID 2400 wrote to memory of 2120	2400	yvlcylhcvkirxsrsexc.exe	36
PID 1900 wrote to memory of 2160	1900	azrkixvsneepxuvymhonf.exe	37
PID 1900 wrote to memory of 2160	1900	azrkixvsneepxuvymhonf.exe	37
PID 1900 wrote to memory of 2160	1900	azrkixvsneepxuvymhonf.exe	37
PID 1900 wrote to memory of 2160	1900	azrkixvsneepxuvymhonf.exe	37

System policy modification 1 TTPs 38 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	yjnscdn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	yjnscdn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	uvtgxqufefd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	uvtgxqufefd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	uvtgxqufefd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	yjnscdn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	yjnscdn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvtgxqufefd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	yjnscdn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	uvtgxqufefd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	uvtgxqufefd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	yjnscdn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	yjnscdn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	uvtgxqufefd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	uvtgxqufefd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	yjnscdn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	yjnscdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	uvtgxqufefd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	yjnscdn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	uvtgxqufefd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	yjnscdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	yjnscdn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	yjnscdn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	yjnscdn.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	yjnscdn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	yjnscdn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	yjnscdn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	yjnscdn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	uvtgxqufefd.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	uvtgxqufefd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	uvtgxqufefd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	yjnscdn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	yjnscdn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	yjnscdn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	uvtgxqufefd.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	yjnscdn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	yjnscdn.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	yjnscdn.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8e0598bce0b73645c97c9f7db2559c67.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2764
- C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe
  "C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_8e0598bce0b73645c97c9f7db2559c67.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Hijack Execution Flow: Executable Installer File Permissions Weakness
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2776
- - C:\Users\Admin\AppData\Local\Temp\yjnscdn.exe
    "C:\Users\Admin\AppData\Local\Temp\yjnscdn.exe" "-C:\Users\Admin\AppData\Local\Temp\xreslvogwidjmeay.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Impair Defenses: Safe Mode Boot
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:1796
- - C:\Users\Admin\AppData\Local\Temp\yjnscdn.exe
    "C:\Users\Admin\AppData\Local\Temp\yjnscdn.exe" "-C:\Users\Admin\AppData\Local\Temp\xreslvogwidjmeay.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2076

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2988
- C:\Windows\yvlcylhcvkirxsrsexc.exe
  "C:\Windows\yvlcylhcvkirxsrsexc.exe" .
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2400
- - C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe
    "C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe" "c:\windows\yvlcylhcvkirxsrsexc.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2120
- C:\Users\Admin\AppData\Local\Temp\azrkixvsneepxuvymhonf.exe
  "C:\Users\Admin\AppData\Local\Temp\azrkixvsneepxuvymhonf.exe" .
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1900
- - C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe
    "C:\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe" "c:\users\admin\appdata\local\temp\azrkixvsneepxuvymhonf.exe*."
    3⤵
    - Executes dropped EXE
    PID:2160

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

T1574.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

T1574.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

T1574.005

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Safe Mode Boot

T1562.009

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\rzacjhouyyhbsyiurvltuwdbio.sbv

Filesize
272B

MD5
37d7be0b3a89248433fcb778f6793e38

SHA1
3d3119dfa8247918c587735b9f6e87852bbc0a02

SHA256
4c35e957dc4d3e0c62105db9a3ce98689ec2efce44fb87907b4dba39526ae47e

SHA512
b820a88b85e08746896cc5b6876e2120a8253779c4a4f8db824d650c4635c057dfc0011abb0a24d34a20b268748185ddbbc2ad7aae9d0db8f3e2cfe91dff760e

Download Submit
C:\Users\Admin\AppData\Local\slxkcldujuotvmhembcvhumvneteydfwrowlm.rew

Filesize
3KB

MD5
28b5db244faba07d0744b834106ed237

SHA1
2887f1fb265bf87b58172cf0454a99ce8621e106

SHA256
429be822c814e837111a18bb137dfafcfeb648a1cf26999476a9397dbe2395bf

SHA512
e06fbbf4399a59945f81380c23eff99f3093dd970c3024842f540cccc3a9aced4b66c3e06d4bc0f2bbdf130f701283c33bd3428af765b41e2f9e1c2f9cf4a702

Download Submit
C:\Windows\SysWOW64\njyojvqkcqnvaussdv.exe

Filesize
600KB

MD5
8e0598bce0b73645c97c9f7db2559c67

SHA1
bc9a5043bf0c7ea5f476f02b350d700c333b773f

SHA256
126804dd7e7c5b137beee74e61e9be1bda1f98237d47653e27a5d84838d221dd

SHA512
54f62747968fdfb5a136947c70e49f30795f4ceba86aeb9ed2789e82c38c3be89e5305b2678ccf7bd88b898bfc3c38de8efc8f44fa1c7a464defb61133044b31

Download Submit
\Users\Admin\AppData\Local\Temp\uvtgxqufefd.exe

Filesize
320KB

MD5
5203b6ea0901877fbf2d8d6f6d8d338e

SHA1
c803e92561921b38abe13239c1fd85605b570936

SHA256
0cc02d34d5fd4cf892fed282f98c1ad3e7dd6159a8877ae5c46d3f834ed36060

SHA512
d48a41b4fc4c38a6473f789c02918fb7353a4b4199768a3624f3b685d91d38519887a1ccd3616e0d2b079a346afaec5a0f2ef2c46d72d3097ef561cedb476471

Download Submit
\Users\Admin\AppData\Local\Temp\yjnscdn.exe

Filesize
684KB

MD5
c3d84d42ecbc19a1fd12ca95f498dc13

SHA1
5248e74f4add028dfc0f98a0b08c124cc3518e4d

SHA256
3350a923075fe3f22ea13c353613e7c1502f6bf9c2809a3f05f39394b3f21691

SHA512
45a3a62056b295222339e1b8f24f6443baaaba66c128d8c6e0835f0efb935ba3c108e8a6385e657ef70f7517773f57a2e46cc295a22b43220e4e6e106cb4222e

Download Submit