pykspa | 16c93fc1a426856cff62d7a99f8ae5e41442222861a72ca0ede3ecbaf54642e8

Analysis

max time kernel
50s
max time network
51s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29/03/2025, 17:09

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
Size

644KB
MD5

8c0afd40d1eaf4dbd91bacaf28849074
SHA1

2f40d165f1d3961237197f7e454b5fb52c74fad4
SHA256

16c93fc1a426856cff62d7a99f8ae5e41442222861a72ca0ede3ecbaf54642e8
SHA512

e0e54076624aa6f318401d6673f2cdba1aa1134bfe7d3bbcc557dc2aca9113189dcee4e06cbc99bec05cbebc3a5bf151f32904d737a2ef9335e35f69872b4097
SSDEEP

12288:Q6onxOp8FySpE5zvIdtU+YmefT9/mqOplf2AQNWxgqFjj:Ewp8DozAdO98fplf2MJ

Score

10^/10

pykspa defense_evasion discovery persistence privilege_escalation trojan worm

Malware Config

Signatures

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	xaxybxpphkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	zghlt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	zghlt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	xaxybxpphkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	xaxybxpphkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe"	xaxybxpphkh.exe

Pykspa
Pykspa is a worm spreads via Skype uses DGA and it's written in C++.
worm pykspa
Pykspa family
pykspa

UAC bypass 3 TTPs 15 IoCs

defense_evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	xaxybxpphkh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	zghlt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	zghlt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	xaxybxpphkh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	xaxybxpphkh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	xaxybxpphkh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	xaxybxpphkh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	zghlt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	xaxybxpphkh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	zghlt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	zghlt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	zghlt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	zghlt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	zghlt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	xaxybxpphkh.exe

Detect Pykspa worm 2 IoCs

worm

resource	yara_rule
behavioral1/files/0x000f0000000139a5-2.dat	family_pykspa
behavioral1/files/0x0009000000016f97-87.dat	family_pykspa

Adds policy Run key to start application 2 TTPs 28 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ockvktjwgpko = "xshzvlictjlwbkvzzhb.exe"	xaxybxpphkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ockvktjwgpko = "mgulgvrkapqaemwzyf.exe"	zghlt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dotbntgqx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dwjzthcujxxgjqzbz.exe"	zghlt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ockvktjwgpko = "kgwpmdbwofiuakwbclgc.exe"	zghlt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dotbntgqx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mgulgvrkapqaemwzyf.exe"	zghlt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ockvktjwgpko = "woapivpguhgoqwef.exe"	xaxybxpphkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dotbntgqx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kgwpmdbwofiuakwbclgc.exe"	xaxybxpphkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ockvktjwgpko = "dwjzthcujxxgjqzbz.exe"	zghlt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dotbntgqx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\woapivpguhgoqwef.exe"	zghlt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ockvktjwgpko = "dwjzthcujxxgjqzbz.exe"	xaxybxpphkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ockvktjwgpko = "zwnhfxwsldhubmzfhrnkb.exe"	zghlt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dotbntgqx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xshzvlictjlwbkvzzhb.exe"	xaxybxpphkh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	zghlt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ockvktjwgpko = "xshzvlictjlwbkvzzhb.exe"	zghlt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dotbntgqx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zwnhfxwsldhubmzfhrnkb.exe"	zghlt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dotbntgqx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zwnhfxwsldhubmzfhrnkb.exe"	zghlt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ockvktjwgpko = "woapivpguhgoqwef.exe"	zghlt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ockvktjwgpko = "kgwpmdbwofiuakwbclgc.exe"	xaxybxpphkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dotbntgqx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dwjzthcujxxgjqzbz.exe"	xaxybxpphkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ockvktjwgpko = "kgwpmdbwofiuakwbclgc.exe"	zghlt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	xaxybxpphkh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	zghlt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	xaxybxpphkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dotbntgqx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zwnhfxwsldhubmzfhrnkb.exe"	xaxybxpphkh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	xaxybxpphkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\dotbntgqx = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mgulgvrkapqaemwzyf.exe"	zghlt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\ockvktjwgpko = "mgulgvrkapqaemwzyf.exe"	zghlt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run	xaxybxpphkh.exe

Boot or Logon Autostart Execution: Active Setup 2 TTPs 3 IoCs

Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.

persistence

Active Setup

T1547.014

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Active Setup\Installed Components	explorer.exe

Disables RegEdit via registry modification 9 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	zghlt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	zghlt.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	zghlt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	zghlt.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	xaxybxpphkh.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	xaxybxpphkh.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	xaxybxpphkh.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	xaxybxpphkh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	xaxybxpphkh.exe

Executes dropped EXE 15 IoCs

pid	Process
2492	xaxybxpphkh.exe
2224	zghlt.exe
2324	zghlt.exe
912	xshzvlictjlwbkvzzhb.exe
852	zwnhfxwsldhubmzfhrnkb.exe
572	xaxybxpphkh.exe
1708	xaxybxpphkh.exe
2836	zwnhfxwsldhubmzfhrnkb.exe
2860	dwjzthcujxxgjqzbz.exe
2684	xaxybxpphkh.exe
2288	xaxybxpphkh.exe
1008	dwjzthcujxxgjqzbz.exe
1200	dwjzthcujxxgjqzbz.exe
2544	xaxybxpphkh.exe
1468	xaxybxpphkh.exe

Impair Defenses: Safe Mode Boot 1 TTPs 3 IoCs

defense_evasion

Safe Mode Boot

T1562.009

description	ioc	Process
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\WinDefend	zghlt.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\ProfSvc	zghlt.exe
Key deleted	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\SafeBoot\Minimal\Power	zghlt.exe

Loads dropped DLL 18 IoCs

pid	Process
1752	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
1752	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
2492	xaxybxpphkh.exe
2492	xaxybxpphkh.exe
2492	xaxybxpphkh.exe
2492	xaxybxpphkh.exe
912	xshzvlictjlwbkvzzhb.exe
912	xshzvlictjlwbkvzzhb.exe
852	zwnhfxwsldhubmzfhrnkb.exe
852	zwnhfxwsldhubmzfhrnkb.exe
2836	zwnhfxwsldhubmzfhrnkb.exe
2836	zwnhfxwsldhubmzfhrnkb.exe
2860	dwjzthcujxxgjqzbz.exe
2860	dwjzthcujxxgjqzbz.exe
1200	dwjzthcujxxgjqzbz.exe
1200	dwjzthcujxxgjqzbz.exe
1008	dwjzthcujxxgjqzbz.exe
1008	dwjzthcujxxgjqzbz.exe

Adds Run key to start application 2 TTPs 64 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\relvjrgsbjd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zwnhfxwsldhubmzfhrnkb.exe ."	zghlt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\nclxnxocnxtyx = "mgulgvrkapqaemwzyf.exe"	xaxybxpphkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\woapivpguhgoqwef = "C:\\Users\\Admin\\AppData\\Local\\Temp\\woapivpguhgoqwef.exe"	zghlt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\woapivpguhgoqwef = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mgulgvrkapqaemwzyf.exe"	zghlt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\nclxnxocnxtyx = "kgwpmdbwofiuakwbclgc.exe"	zghlt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rithzleuhtryzel = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mgulgvrkapqaemwzyf.exe ."	xaxybxpphkh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\oeobsdvkwhekko = "dwjzthcujxxgjqzbz.exe ."	zghlt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\relvjrgsbjd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dwjzthcujxxgjqzbz.exe ."	xaxybxpphkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\relvjrgsbjd = "mgulgvrkapqaemwzyf.exe ."	zghlt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\wioxkrfqyf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zwnhfxwsldhubmzfhrnkb.exe"	zghlt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\relvjrgsbjd = "zwnhfxwsldhubmzfhrnkb.exe ."	zghlt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\oeobsdvkwhekko = "dwjzthcujxxgjqzbz.exe ."	xaxybxpphkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\woapivpguhgoqwef = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zwnhfxwsldhubmzfhrnkb.exe"	zghlt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\oeobsdvkwhekko = "kgwpmdbwofiuakwbclgc.exe ."	zghlt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\oeobsdvkwhekko = "xshzvlictjlwbkvzzhb.exe ."	zghlt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wioxkrfqyf = "xshzvlictjlwbkvzzhb.exe"	xaxybxpphkh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\wioxkrfqyf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mgulgvrkapqaemwzyf.exe"	xaxybxpphkh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\relvjrgsbjd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kgwpmdbwofiuakwbclgc.exe ."	xaxybxpphkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\relvjrgsbjd = "xshzvlictjlwbkvzzhb.exe ."	zghlt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\relvjrgsbjd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\woapivpguhgoqwef.exe ."	zghlt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wioxkrfqyf = "dwjzthcujxxgjqzbz.exe"	zghlt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wioxkrfqyf = "kgwpmdbwofiuakwbclgc.exe"	xaxybxpphkh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\wioxkrfqyf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dwjzthcujxxgjqzbz.exe"	zghlt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\wioxkrfqyf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xshzvlictjlwbkvzzhb.exe"	zghlt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\relvjrgsbjd = "zwnhfxwsldhubmzfhrnkb.exe ."	xaxybxpphkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wioxkrfqyf = "mgulgvrkapqaemwzyf.exe"	zghlt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\wioxkrfqyf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kgwpmdbwofiuakwbclgc.exe"	zghlt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wioxkrfqyf = "kgwpmdbwofiuakwbclgc.exe"	zghlt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\woapivpguhgoqwef = "C:\\Users\\Admin\\AppData\\Local\\Temp\\woapivpguhgoqwef.exe"	xaxybxpphkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\relvjrgsbjd = "woapivpguhgoqwef.exe ."	zghlt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\relvjrgsbjd = "woapivpguhgoqwef.exe ."	zghlt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\oeobsdvkwhekko = "zwnhfxwsldhubmzfhrnkb.exe ."	zghlt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\nclxnxocnxtyx = "zwnhfxwsldhubmzfhrnkb.exe"	xaxybxpphkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wioxkrfqyf = "woapivpguhgoqwef.exe"	xaxybxpphkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rithzleuhtryzel = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kgwpmdbwofiuakwbclgc.exe ."	zghlt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\relvjrgsbjd = "dwjzthcujxxgjqzbz.exe ."	xaxybxpphkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\relvjrgsbjd = "dwjzthcujxxgjqzbz.exe ."	zghlt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\relvjrgsbjd = "zwnhfxwsldhubmzfhrnkb.exe ."	zghlt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\relvjrgsbjd = "xshzvlictjlwbkvzzhb.exe ."	xaxybxpphkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rithzleuhtryzel = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mgulgvrkapqaemwzyf.exe ."	zghlt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\woapivpguhgoqwef = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dwjzthcujxxgjqzbz.exe"	zghlt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\nclxnxocnxtyx = "kgwpmdbwofiuakwbclgc.exe"	zghlt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\woapivpguhgoqwef = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kgwpmdbwofiuakwbclgc.exe"	zghlt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rithzleuhtryzel = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mgulgvrkapqaemwzyf.exe ."	zghlt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wioxkrfqyf = "kgwpmdbwofiuakwbclgc.exe"	zghlt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\relvjrgsbjd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\woapivpguhgoqwef.exe ."	zghlt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\oeobsdvkwhekko = "kgwpmdbwofiuakwbclgc.exe ."	xaxybxpphkh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\oeobsdvkwhekko = "woapivpguhgoqwef.exe ."	xaxybxpphkh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\wioxkrfqyf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\xshzvlictjlwbkvzzhb.exe"	zghlt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\relvjrgsbjd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dwjzthcujxxgjqzbz.exe ."	zghlt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\oeobsdvkwhekko = "woapivpguhgoqwef.exe ."	zghlt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wioxkrfqyf = "woapivpguhgoqwef.exe"	xaxybxpphkh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\wioxkrfqyf = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dwjzthcujxxgjqzbz.exe"	xaxybxpphkh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\RunOnce\relvjrgsbjd = "C:\\Users\\Admin\\AppData\\Local\\Temp\\woapivpguhgoqwef.exe ."	xaxybxpphkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\woapivpguhgoqwef = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kgwpmdbwofiuakwbclgc.exe"	xaxybxpphkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wioxkrfqyf = "xshzvlictjlwbkvzzhb.exe"	xaxybxpphkh.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\nclxnxocnxtyx = "dwjzthcujxxgjqzbz.exe"	zghlt.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\nclxnxocnxtyx = "woapivpguhgoqwef.exe"	xaxybxpphkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rithzleuhtryzel = "C:\\Users\\Admin\\AppData\\Local\\Temp\\mgulgvrkapqaemwzyf.exe ."	xaxybxpphkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rithzleuhtryzel = "C:\\Users\\Admin\\AppData\\Local\\Temp\\dwjzthcujxxgjqzbz.exe ."	xaxybxpphkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wioxkrfqyf = "dwjzthcujxxgjqzbz.exe"	zghlt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\woapivpguhgoqwef = "C:\\Users\\Admin\\AppData\\Local\\Temp\\kgwpmdbwofiuakwbclgc.exe"	xaxybxpphkh.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\wioxkrfqyf = "mgulgvrkapqaemwzyf.exe"	zghlt.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\rithzleuhtryzel = "C:\\Users\\Admin\\AppData\\Local\\Temp\\zwnhfxwsldhubmzfhrnkb.exe ."	zghlt.exe

Checks whether UAC is enabled 1 TTPs 12 IoCs

defense_evasion trojan

System Information Discovery

T1082

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	zghlt.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	zghlt.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	xaxybxpphkh.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	xaxybxpphkh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	xaxybxpphkh.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	xaxybxpphkh.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	zghlt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	zghlt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	xaxybxpphkh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	xaxybxpphkh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	xaxybxpphkh.exe
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	xaxybxpphkh.exe

Hijack Execution Flow: Executable Installer File Permissions Weakness 1 TTPs 3 IoCs

Possible Turn off User Account Control's privilege elevation for standard users.

defense_evasion persistence privilege_escalation

Executable Installer File Permissions Weakness

T1574.005

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	xaxybxpphkh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	zghlt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableInstallerDetection = "0"	zghlt.exe

Looks up external IP address via web service 3 IoCs

Uses a legitimate IP lookup service to find the infected system's external IP.

flow	ioc
2	www.whatismyip.ca
6	whatismyipaddress.com
12	whatismyip.everdot.org

Drops autorun.inf file 1 TTPs 4 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File opened for modification	C:\autorun.inf	zghlt.exe
File created	C:\autorun.inf	zghlt.exe
File opened for modification	F:\autorun.inf	zghlt.exe
File created	F:\autorun.inf	zghlt.exe

Drops file in System32 directory 46 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\dwjzthcujxxgjqzbz.exe	xaxybxpphkh.exe
File opened for modification	C:\Windows\SysWOW64\xshzvlictjlwbkvzzhb.exe	xaxybxpphkh.exe
File opened for modification	C:\Windows\SysWOW64\dwjzthcujxxgjqzbz.exe	xaxybxpphkh.exe
File opened for modification	C:\Windows\SysWOW64\xshzvlictjlwbkvzzhb.exe	xaxybxpphkh.exe
File opened for modification	C:\Windows\SysWOW64\qogbattqkdiweqelozwumh.exe	xaxybxpphkh.exe
File opened for modification	C:\Windows\SysWOW64\mgulgvrkapqaemwzyf.exe	xaxybxpphkh.exe
File opened for modification	C:\Windows\SysWOW64\qogbattqkdiweqelozwumh.exe	xaxybxpphkh.exe
File opened for modification	C:\Windows\SysWOW64\qogbattqkdiweqelozwumh.exe	zghlt.exe
File opened for modification	C:\Windows\SysWOW64\mgulgvrkapqaemwzyf.exe	xaxybxpphkh.exe
File opened for modification	C:\Windows\SysWOW64\zwnhfxwsldhubmzfhrnkb.exe	xaxybxpphkh.exe
File opened for modification	C:\Windows\SysWOW64\woapivpguhgoqwef.exe	xaxybxpphkh.exe
File opened for modification	C:\Windows\SysWOW64\xshzvlictjlwbkvzzhb.exe	zghlt.exe
File opened for modification	C:\Windows\SysWOW64\zwnhfxwsldhubmzfhrnkb.exe	zghlt.exe
File opened for modification	C:\Windows\SysWOW64\zwnhfxwsldhubmzfhrnkb.exe	zghlt.exe
File opened for modification	C:\Windows\SysWOW64\qogbattqkdiweqelozwumh.exe	zghlt.exe
File opened for modification	C:\Windows\SysWOW64\nclxnxocnxtyxafdxznclxnxocnxtyxafdx.ncl	zghlt.exe
File opened for modification	C:\Windows\SysWOW64\dwjzthcujxxgjqzbz.exe	xaxybxpphkh.exe
File opened for modification	C:\Windows\SysWOW64\mgulgvrkapqaemwzyf.exe	xaxybxpphkh.exe
File opened for modification	C:\Windows\SysWOW64\qogbattqkdiweqelozwumh.exe	xaxybxpphkh.exe
File opened for modification	C:\Windows\SysWOW64\woapivpguhgoqwef.exe	xaxybxpphkh.exe
File opened for modification	C:\Windows\SysWOW64\dwjzthcujxxgjqzbz.exe	xaxybxpphkh.exe
File opened for modification	C:\Windows\SysWOW64\xshzvlictjlwbkvzzhb.exe	xaxybxpphkh.exe
File opened for modification	C:\Windows\SysWOW64\woapivpguhgoqwef.exe	xaxybxpphkh.exe
File opened for modification	C:\Windows\SysWOW64\kgwpmdbwofiuakwbclgc.exe	xaxybxpphkh.exe
File opened for modification	C:\Windows\SysWOW64\dwjzthcujxxgjqzbz.exe	zghlt.exe
File opened for modification	C:\Windows\SysWOW64\mgulgvrkapqaemwzyf.exe	zghlt.exe
File opened for modification	C:\Windows\SysWOW64\woapivpguhgoqwef.exe	zghlt.exe
File opened for modification	C:\Windows\SysWOW64\xshzvlictjlwbkvzzhb.exe	zghlt.exe
File created	C:\Windows\SysWOW64\nclxnxocnxtyxafdxznclxnxocnxtyxafdx.ncl	zghlt.exe
File opened for modification	C:\Windows\SysWOW64\qogbattqkdiweqelozwumh.exe	xaxybxpphkh.exe
File opened for modification	C:\Windows\SysWOW64\zwnhfxwsldhubmzfhrnkb.exe	xaxybxpphkh.exe
File opened for modification	C:\Windows\SysWOW64\woapivpguhgoqwef.exe	zghlt.exe
File opened for modification	C:\Windows\SysWOW64\dwjzthcujxxgjqzbz.exe	zghlt.exe
File opened for modification	C:\Windows\SysWOW64\kgwpmdbwofiuakwbclgc.exe	zghlt.exe
File created	C:\Windows\SysWOW64\eighmlruuteymeylulosqrwv.eed	zghlt.exe
File opened for modification	C:\Windows\SysWOW64\zwnhfxwsldhubmzfhrnkb.exe	xaxybxpphkh.exe
File opened for modification	C:\Windows\SysWOW64\kgwpmdbwofiuakwbclgc.exe	xaxybxpphkh.exe
File opened for modification	C:\Windows\SysWOW64\mgulgvrkapqaemwzyf.exe	xaxybxpphkh.exe
File opened for modification	C:\Windows\SysWOW64\xshzvlictjlwbkvzzhb.exe	xaxybxpphkh.exe
File opened for modification	C:\Windows\SysWOW64\kgwpmdbwofiuakwbclgc.exe	xaxybxpphkh.exe
File opened for modification	C:\Windows\SysWOW64\woapivpguhgoqwef.exe	xaxybxpphkh.exe
File opened for modification	C:\Windows\SysWOW64\kgwpmdbwofiuakwbclgc.exe	zghlt.exe
File opened for modification	C:\Windows\SysWOW64\mgulgvrkapqaemwzyf.exe	zghlt.exe
File opened for modification	C:\Windows\SysWOW64\eighmlruuteymeylulosqrwv.eed	zghlt.exe
File opened for modification	C:\Windows\SysWOW64\kgwpmdbwofiuakwbclgc.exe	xaxybxpphkh.exe
File opened for modification	C:\Windows\SysWOW64\zwnhfxwsldhubmzfhrnkb.exe	xaxybxpphkh.exe

Drops file in Program Files directory 4 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\eighmlruuteymeylulosqrwv.eed	zghlt.exe
File created	C:\Program Files (x86)\eighmlruuteymeylulosqrwv.eed	zghlt.exe
File opened for modification	C:\Program Files (x86)\nclxnxocnxtyxafdxznclxnxocnxtyxafdx.ncl	zghlt.exe
File created	C:\Program Files (x86)\nclxnxocnxtyxafdxznclxnxocnxtyxafdx.ncl	zghlt.exe

Drops file in Windows directory 46 IoCs

description	ioc	Process
File opened for modification	C:\Windows\zwnhfxwsldhubmzfhrnkb.exe	xaxybxpphkh.exe
File opened for modification	C:\Windows\qogbattqkdiweqelozwumh.exe	xaxybxpphkh.exe
File opened for modification	C:\Windows\zwnhfxwsldhubmzfhrnkb.exe	zghlt.exe
File opened for modification	C:\Windows\woapivpguhgoqwef.exe	zghlt.exe
File opened for modification	C:\Windows\qogbattqkdiweqelozwumh.exe	zghlt.exe
File opened for modification	C:\Windows\zwnhfxwsldhubmzfhrnkb.exe	xaxybxpphkh.exe
File opened for modification	C:\Windows\xshzvlictjlwbkvzzhb.exe	xaxybxpphkh.exe
File opened for modification	C:\Windows\qogbattqkdiweqelozwumh.exe	xaxybxpphkh.exe
File opened for modification	C:\Windows\dwjzthcujxxgjqzbz.exe	zghlt.exe
File opened for modification	C:\Windows\woapivpguhgoqwef.exe	xaxybxpphkh.exe
File opened for modification	C:\Windows\kgwpmdbwofiuakwbclgc.exe	xaxybxpphkh.exe
File opened for modification	C:\Windows\mgulgvrkapqaemwzyf.exe	xaxybxpphkh.exe
File opened for modification	C:\Windows\kgwpmdbwofiuakwbclgc.exe	zghlt.exe
File opened for modification	C:\Windows\xshzvlictjlwbkvzzhb.exe	zghlt.exe
File opened for modification	C:\Windows\eighmlruuteymeylulosqrwv.eed	zghlt.exe
File opened for modification	C:\Windows\dwjzthcujxxgjqzbz.exe	xaxybxpphkh.exe
File opened for modification	C:\Windows\qogbattqkdiweqelozwumh.exe	xaxybxpphkh.exe
File opened for modification	C:\Windows\xshzvlictjlwbkvzzhb.exe	xaxybxpphkh.exe
File opened for modification	C:\Windows\woapivpguhgoqwef.exe	xaxybxpphkh.exe
File opened for modification	C:\Windows\dwjzthcujxxgjqzbz.exe	xaxybxpphkh.exe
File opened for modification	C:\Windows\xshzvlictjlwbkvzzhb.exe	xaxybxpphkh.exe
File opened for modification	C:\Windows\dwjzthcujxxgjqzbz.exe	zghlt.exe
File opened for modification	C:\Windows\mgulgvrkapqaemwzyf.exe	zghlt.exe
File opened for modification	C:\Windows\zwnhfxwsldhubmzfhrnkb.exe	zghlt.exe
File opened for modification	C:\Windows\mgulgvrkapqaemwzyf.exe	xaxybxpphkh.exe
File opened for modification	C:\Windows\dwjzthcujxxgjqzbz.exe	xaxybxpphkh.exe
File created	C:\Windows\eighmlruuteymeylulosqrwv.eed	zghlt.exe
File opened for modification	C:\Windows\nclxnxocnxtyxafdxznclxnxocnxtyxafdx.ncl	zghlt.exe
File created	C:\Windows\nclxnxocnxtyxafdxznclxnxocnxtyxafdx.ncl	zghlt.exe
File opened for modification	C:\Windows\kgwpmdbwofiuakwbclgc.exe	xaxybxpphkh.exe
File opened for modification	C:\Windows\woapivpguhgoqwef.exe	xaxybxpphkh.exe
File opened for modification	C:\Windows\dwjzthcujxxgjqzbz.exe	xaxybxpphkh.exe
File opened for modification	C:\Windows\mgulgvrkapqaemwzyf.exe	xaxybxpphkh.exe
File opened for modification	C:\Windows\zwnhfxwsldhubmzfhrnkb.exe	xaxybxpphkh.exe
File opened for modification	C:\Windows\mgulgvrkapqaemwzyf.exe	zghlt.exe
File opened for modification	C:\Windows\mgulgvrkapqaemwzyf.exe	xaxybxpphkh.exe
File opened for modification	C:\Windows\kgwpmdbwofiuakwbclgc.exe	xaxybxpphkh.exe
File opened for modification	C:\Windows\woapivpguhgoqwef.exe	xaxybxpphkh.exe
File opened for modification	C:\Windows\kgwpmdbwofiuakwbclgc.exe	xaxybxpphkh.exe
File opened for modification	C:\Windows\woapivpguhgoqwef.exe	zghlt.exe
File opened for modification	C:\Windows\xshzvlictjlwbkvzzhb.exe	zghlt.exe
File opened for modification	C:\Windows\xshzvlictjlwbkvzzhb.exe	xaxybxpphkh.exe
File opened for modification	C:\Windows\qogbattqkdiweqelozwumh.exe	xaxybxpphkh.exe
File opened for modification	C:\Windows\zwnhfxwsldhubmzfhrnkb.exe	xaxybxpphkh.exe
File opened for modification	C:\Windows\qogbattqkdiweqelozwumh.exe	zghlt.exe
File opened for modification	C:\Windows\kgwpmdbwofiuakwbclgc.exe	zghlt.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zghlt.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xshzvlictjlwbkvzzhb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zwnhfxwsldhubmzfhrnkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwjzthcujxxgjqzbz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	xaxybxpphkh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	zwnhfxwsldhubmzfhrnkb.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwjzthcujxxgjqzbz.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	dwjzthcujxxgjqzbz.exe

Modifies registry class 15 IoCs

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU	explorer.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff	explorer.exe
Key created	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000_Classes\Local Settings	explorer.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

pid	Process
1752	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
1752	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
1752	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
1752	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
1752	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
1752	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
1752	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
2224	zghlt.exe
2224	zghlt.exe
1752	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
1752	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
1752	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
2224	zghlt.exe
2224	zghlt.exe
1752	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
1752	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
2224	zghlt.exe
2224	zghlt.exe
1752	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
1752	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
1752	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
1752	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
2224	zghlt.exe
2224	zghlt.exe
1752	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
1752	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
1752	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
2224	zghlt.exe
2224	zghlt.exe
1752	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
1752	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
1752	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
2224	zghlt.exe
2224	zghlt.exe
1752	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
1752	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
1752	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
1752	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
2224	zghlt.exe
2224	zghlt.exe
1752	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
1752	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
1752	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
2224	zghlt.exe
2224	zghlt.exe
1752	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
1752	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
1752	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
2224	zghlt.exe
2224	zghlt.exe
1752	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
1752	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
1752	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
2224	zghlt.exe
2224	zghlt.exe
1752	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
1752	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
2224	zghlt.exe
2224	zghlt.exe
1752	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
1752	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
1752	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
1752	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
2224	zghlt.exe

Suspicious behavior: GetForegroundWindowSpam 3 IoCs

pid	Process
964	explorer.exe
3064	explorer.exe
2736	explorer.exe

Suspicious use of AdjustPrivilegeToken 37 IoCs

description	pid	Process
Token: SeDebugPrivilege	2224	zghlt.exe
Token: SeShutdownPrivilege	964	explorer.exe
Token: SeShutdownPrivilege	964	explorer.exe
Token: SeShutdownPrivilege	964	explorer.exe
Token: SeShutdownPrivilege	964	explorer.exe
Token: SeShutdownPrivilege	964	explorer.exe
Token: SeShutdownPrivilege	964	explorer.exe
Token: SeShutdownPrivilege	964	explorer.exe
Token: SeShutdownPrivilege	964	explorer.exe
Token: SeShutdownPrivilege	964	explorer.exe
Token: SeShutdownPrivilege	964	explorer.exe
Token: SeShutdownPrivilege	964	explorer.exe
Token: SeShutdownPrivilege	964	explorer.exe
Token: SeShutdownPrivilege	3064	explorer.exe
Token: SeShutdownPrivilege	3064	explorer.exe
Token: SeShutdownPrivilege	3064	explorer.exe
Token: SeShutdownPrivilege	3064	explorer.exe
Token: SeShutdownPrivilege	3064	explorer.exe
Token: SeShutdownPrivilege	3064	explorer.exe
Token: SeShutdownPrivilege	3064	explorer.exe
Token: SeShutdownPrivilege	3064	explorer.exe
Token: SeShutdownPrivilege	3064	explorer.exe
Token: SeShutdownPrivilege	3064	explorer.exe
Token: SeShutdownPrivilege	3064	explorer.exe
Token: SeShutdownPrivilege	3064	explorer.exe
Token: SeShutdownPrivilege	2736	explorer.exe
Token: SeShutdownPrivilege	2736	explorer.exe
Token: SeShutdownPrivilege	2736	explorer.exe
Token: SeShutdownPrivilege	2736	explorer.exe
Token: SeShutdownPrivilege	2736	explorer.exe
Token: SeShutdownPrivilege	2736	explorer.exe
Token: SeShutdownPrivilege	2736	explorer.exe
Token: SeShutdownPrivilege	2736	explorer.exe
Token: SeShutdownPrivilege	2736	explorer.exe
Token: SeShutdownPrivilege	2736	explorer.exe
Token: SeShutdownPrivilege	2736	explorer.exe
Token: SeShutdownPrivilege	2736	explorer.exe

Suspicious use of FindShellTrayWindow 64 IoCs

pid	Process
964	explorer.exe
964	explorer.exe
964	explorer.exe
964	explorer.exe
964	explorer.exe
964	explorer.exe
964	explorer.exe
964	explorer.exe
964	explorer.exe
964	explorer.exe
964	explorer.exe
964	explorer.exe
964	explorer.exe
964	explorer.exe
964	explorer.exe
964	explorer.exe
964	explorer.exe
964	explorer.exe
964	explorer.exe
964	explorer.exe
964	explorer.exe
964	explorer.exe
964	explorer.exe
964	explorer.exe
3064	explorer.exe
3064	explorer.exe
3064	explorer.exe
3064	explorer.exe
3064	explorer.exe
3064	explorer.exe
3064	explorer.exe
3064	explorer.exe
3064	explorer.exe
3064	explorer.exe
3064	explorer.exe
3064	explorer.exe
3064	explorer.exe
3064	explorer.exe
3064	explorer.exe
3064	explorer.exe
3064	explorer.exe
3064	explorer.exe
3064	explorer.exe
3064	explorer.exe
3064	explorer.exe
3064	explorer.exe
3064	explorer.exe
3064	explorer.exe
2736	explorer.exe
2736	explorer.exe
2736	explorer.exe
2736	explorer.exe
2736	explorer.exe
2736	explorer.exe
2736	explorer.exe
2736	explorer.exe
2736	explorer.exe
2736	explorer.exe
2736	explorer.exe
2736	explorer.exe
2736	explorer.exe
2736	explorer.exe
2736	explorer.exe
2736	explorer.exe

Suspicious use of SendNotifyMessage 51 IoCs

pid	Process
964	explorer.exe
964	explorer.exe
964	explorer.exe
964	explorer.exe
964	explorer.exe
964	explorer.exe
964	explorer.exe
964	explorer.exe
964	explorer.exe
964	explorer.exe
964	explorer.exe
964	explorer.exe
964	explorer.exe
964	explorer.exe
964	explorer.exe
964	explorer.exe
964	explorer.exe
964	explorer.exe
964	explorer.exe
964	explorer.exe
3064	explorer.exe
3064	explorer.exe
3064	explorer.exe
3064	explorer.exe
3064	explorer.exe
3064	explorer.exe
3064	explorer.exe
3064	explorer.exe
3064	explorer.exe
3064	explorer.exe
3064	explorer.exe
3064	explorer.exe
3064	explorer.exe
3064	explorer.exe
3064	explorer.exe
2736	explorer.exe
2736	explorer.exe
2736	explorer.exe
2736	explorer.exe
2736	explorer.exe
2736	explorer.exe
2736	explorer.exe
2736	explorer.exe
2736	explorer.exe
2736	explorer.exe
2736	explorer.exe
2736	explorer.exe
2736	explorer.exe
2736	explorer.exe
2736	explorer.exe
2736	explorer.exe

Suspicious use of WriteProcessMemory 60 IoCs

description	pid	Process	procid_target
PID 1752 wrote to memory of 2492	1752	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe	31
PID 1752 wrote to memory of 2492	1752	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe	31
PID 1752 wrote to memory of 2492	1752	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe	31
PID 1752 wrote to memory of 2492	1752	JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe	31
PID 2492 wrote to memory of 2224	2492	xaxybxpphkh.exe	32
PID 2492 wrote to memory of 2224	2492	xaxybxpphkh.exe	32
PID 2492 wrote to memory of 2224	2492	xaxybxpphkh.exe	32
PID 2492 wrote to memory of 2224	2492	xaxybxpphkh.exe	32
PID 2492 wrote to memory of 2324	2492	xaxybxpphkh.exe	33
PID 2492 wrote to memory of 2324	2492	xaxybxpphkh.exe	33
PID 2492 wrote to memory of 2324	2492	xaxybxpphkh.exe	33
PID 2492 wrote to memory of 2324	2492	xaxybxpphkh.exe	33
PID 964 wrote to memory of 912	964	explorer.exe	35
PID 964 wrote to memory of 912	964	explorer.exe	35
PID 964 wrote to memory of 912	964	explorer.exe	35
PID 964 wrote to memory of 912	964	explorer.exe	35
PID 964 wrote to memory of 852	964	explorer.exe	36
PID 964 wrote to memory of 852	964	explorer.exe	36
PID 964 wrote to memory of 852	964	explorer.exe	36
PID 964 wrote to memory of 852	964	explorer.exe	36
PID 912 wrote to memory of 572	912	xshzvlictjlwbkvzzhb.exe	37
PID 912 wrote to memory of 572	912	xshzvlictjlwbkvzzhb.exe	37
PID 912 wrote to memory of 572	912	xshzvlictjlwbkvzzhb.exe	37
PID 912 wrote to memory of 572	912	xshzvlictjlwbkvzzhb.exe	37
PID 852 wrote to memory of 1708	852	zwnhfxwsldhubmzfhrnkb.exe	38
PID 852 wrote to memory of 1708	852	zwnhfxwsldhubmzfhrnkb.exe	38
PID 852 wrote to memory of 1708	852	zwnhfxwsldhubmzfhrnkb.exe	38
PID 852 wrote to memory of 1708	852	zwnhfxwsldhubmzfhrnkb.exe	38
PID 3064 wrote to memory of 2836	3064	explorer.exe	41
PID 3064 wrote to memory of 2836	3064	explorer.exe	41
PID 3064 wrote to memory of 2836	3064	explorer.exe	41
PID 3064 wrote to memory of 2836	3064	explorer.exe	41
PID 3064 wrote to memory of 2860	3064	explorer.exe	42
PID 3064 wrote to memory of 2860	3064	explorer.exe	42
PID 3064 wrote to memory of 2860	3064	explorer.exe	42
PID 3064 wrote to memory of 2860	3064	explorer.exe	42
PID 2836 wrote to memory of 2684	2836	zwnhfxwsldhubmzfhrnkb.exe	43
PID 2836 wrote to memory of 2684	2836	zwnhfxwsldhubmzfhrnkb.exe	43
PID 2836 wrote to memory of 2684	2836	zwnhfxwsldhubmzfhrnkb.exe	43
PID 2836 wrote to memory of 2684	2836	zwnhfxwsldhubmzfhrnkb.exe	43
PID 2860 wrote to memory of 2288	2860	dwjzthcujxxgjqzbz.exe	44
PID 2860 wrote to memory of 2288	2860	dwjzthcujxxgjqzbz.exe	44
PID 2860 wrote to memory of 2288	2860	dwjzthcujxxgjqzbz.exe	44
PID 2860 wrote to memory of 2288	2860	dwjzthcujxxgjqzbz.exe	44
PID 2736 wrote to memory of 1008	2736	explorer.exe	47
PID 2736 wrote to memory of 1008	2736	explorer.exe	47
PID 2736 wrote to memory of 1008	2736	explorer.exe	47
PID 2736 wrote to memory of 1008	2736	explorer.exe	47
PID 2736 wrote to memory of 1200	2736	explorer.exe	48
PID 2736 wrote to memory of 1200	2736	explorer.exe	48
PID 2736 wrote to memory of 1200	2736	explorer.exe	48
PID 2736 wrote to memory of 1200	2736	explorer.exe	48
PID 1200 wrote to memory of 2544	1200	dwjzthcujxxgjqzbz.exe	49
PID 1200 wrote to memory of 2544	1200	dwjzthcujxxgjqzbz.exe	49
PID 1200 wrote to memory of 2544	1200	dwjzthcujxxgjqzbz.exe	49
PID 1200 wrote to memory of 2544	1200	dwjzthcujxxgjqzbz.exe	49
PID 1008 wrote to memory of 1468	1008	dwjzthcujxxgjqzbz.exe	50
PID 1008 wrote to memory of 1468	1008	dwjzthcujxxgjqzbz.exe	50
PID 1008 wrote to memory of 1468	1008	dwjzthcujxxgjqzbz.exe	50
PID 1008 wrote to memory of 1468	1008	dwjzthcujxxgjqzbz.exe	50

System policy modification 1 TTPs 42 IoCs

defense_evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	xaxybxpphkh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	xaxybxpphkh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	xaxybxpphkh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	zghlt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	xaxybxpphkh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	zghlt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	zghlt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	zghlt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	zghlt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	zghlt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	zghlt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	xaxybxpphkh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	xaxybxpphkh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	zghlt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	zghlt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	zghlt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	xaxybxpphkh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	xaxybxpphkh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	xaxybxpphkh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	xaxybxpphkh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	zghlt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	zghlt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	xaxybxpphkh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	zghlt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\PromptOnSecureDesktop = "0"	zghlt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	zghlt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\FilterAdministratorToken = "0"	zghlt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer	zghlt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	xaxybxpphkh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorUser = "0"	xaxybxpphkh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	xaxybxpphkh.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	zghlt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\NoDriveTypeAutoRun = "1"	zghlt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	xaxybxpphkh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ConsentPromptBehaviorAdmin = "0"	zghlt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	zghlt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableVirtualization = "0"	zghlt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\ValidateAdminCodeSignatures = "0"	zghlt.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableSecureUIAPaths = "0"	zghlt.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	xaxybxpphkh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	xaxybxpphkh.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	xaxybxpphkh.exe

Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
persistence

Query Registry
T1012

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe"
1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1752
- C:\Users\Admin\AppData\Local\Temp\xaxybxpphkh.exe
  "C:\Users\Admin\AppData\Local\Temp\xaxybxpphkh.exe" "c:\users\admin\appdata\local\temp\jaffacakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe*"
  2⤵
  - Modifies WinLogon for persistence
  - UAC bypass
  - Adds policy Run key to start application
  - Disables RegEdit via registry modification
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Checks whether UAC is enabled
  - Hijack Execution Flow: Executable Installer File Permissions Weakness
  - Drops file in System32 directory
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:2492
- - C:\Users\Admin\AppData\Local\Temp\zghlt.exe
    "C:\Users\Admin\AppData\Local\Temp\zghlt.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Impair Defenses: Safe Mode Boot
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - Drops autorun.inf file
    - Drops file in System32 directory
    - Drops file in Program Files directory
    - Drops file in Windows directory
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - System policy modification
    PID:2224
- - C:\Users\Admin\AppData\Local\Temp\zghlt.exe
    "C:\Users\Admin\AppData\Local\Temp\zghlt.exe" "-c:\users\admin\appdata\local\temp\jaffacakes118_8c0afd40d1eaf4dbd91bacaf28849074.exe"
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Hijack Execution Flow: Executable Installer File Permissions Weakness
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2324

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:964
- C:\Windows\xshzvlictjlwbkvzzhb.exe
  "C:\Windows\xshzvlictjlwbkvzzhb.exe" .
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:912
- - C:\Users\Admin\AppData\Local\Temp\xaxybxpphkh.exe
    "C:\Users\Admin\AppData\Local\Temp\xaxybxpphkh.exe" "c:\windows\xshzvlictjlwbkvzzhb.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:572
- C:\Users\Admin\AppData\Local\Temp\zwnhfxwsldhubmzfhrnkb.exe
  "C:\Users\Admin\AppData\Local\Temp\zwnhfxwsldhubmzfhrnkb.exe" .
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:852
- - C:\Users\Admin\AppData\Local\Temp\xaxybxpphkh.exe
    "C:\Users\Admin\AppData\Local\Temp\xaxybxpphkh.exe" "c:\users\admin\appdata\local\temp\zwnhfxwsldhubmzfhrnkb.exe*."
    3⤵
    - Executes dropped EXE
    PID:1708

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:3064
- C:\Windows\zwnhfxwsldhubmzfhrnkb.exe
  "C:\Windows\zwnhfxwsldhubmzfhrnkb.exe" .
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2836
- - C:\Users\Admin\AppData\Local\Temp\xaxybxpphkh.exe
    "C:\Users\Admin\AppData\Local\Temp\xaxybxpphkh.exe" "c:\windows\zwnhfxwsldhubmzfhrnkb.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2684
- C:\Users\Admin\AppData\Local\Temp\dwjzthcujxxgjqzbz.exe
  "C:\Users\Admin\AppData\Local\Temp\dwjzthcujxxgjqzbz.exe" .
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2860
- - C:\Users\Admin\AppData\Local\Temp\xaxybxpphkh.exe
    "C:\Users\Admin\AppData\Local\Temp\xaxybxpphkh.exe" "c:\users\admin\appdata\local\temp\dwjzthcujxxgjqzbz.exe*."
    3⤵
    - Executes dropped EXE
    PID:2288

C:\Windows\explorer.exe
explorer.exe
1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2736
- C:\Windows\dwjzthcujxxgjqzbz.exe
  "C:\Windows\dwjzthcujxxgjqzbz.exe" .
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1008
- - C:\Users\Admin\AppData\Local\Temp\xaxybxpphkh.exe
    "C:\Users\Admin\AppData\Local\Temp\xaxybxpphkh.exe" "c:\windows\dwjzthcujxxgjqzbz.exe*."
    3⤵
    - Executes dropped EXE
    PID:1468
- C:\Users\Admin\AppData\Local\Temp\dwjzthcujxxgjqzbz.exe
  "C:\Users\Admin\AppData\Local\Temp\dwjzthcujxxgjqzbz.exe" .
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:1200
- - C:\Users\Admin\AppData\Local\Temp\xaxybxpphkh.exe
    "C:\Users\Admin\AppData\Local\Temp\xaxybxpphkh.exe" "c:\users\admin\appdata\local\temp\dwjzthcujxxgjqzbz.exe*."
    3⤵
    - Modifies WinLogon for persistence
    - UAC bypass
    - Adds policy Run key to start application
    - Disables RegEdit via registry modification
    - Executes dropped EXE
    - Adds Run key to start application
    - Checks whether UAC is enabled
    - Drops file in System32 directory
    - Drops file in Windows directory
    - System policy modification
    PID:2544

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

T1574.005

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Active Setup

T1547.014

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

T1574.005

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Hijack Execution Flow

T1574

Executable Installer File Permissions Weakness

T1574.005

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Safe Mode Boot

T1562.009

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\eighmlruuteymeylulosqrwv.eed

Filesize
272B

MD5
115baf37081e164c6a21b7146d3844c8

SHA1
e57afb1528258c4e9bc9fabafd0de0f9b25aab7b

SHA256
016df868fa137db533831deb87dbb396fa368e76dd90da7211fb2ba898a94e02

SHA512
8149070f23c0a8d5db8251538e93b05568839b5fe35671c4381041fc975cef71e1a98b4463c2c4780af222081a8f2ca7b3341d3666f03cb3b163a546a384a264

Download Submit
C:\Users\Admin\AppData\Local\eighmlruuteymeylulosqrwv.eed

Filesize
272B

MD5
0ee1be87baeecb4ea5caf4383adc2a15

SHA1
25d0fc9fcc0f4553dcf7a3af0a5da7fbcaf5f579

SHA256
c29f42742e7f1c9c9d787d7be2a4c56ffc35530c9a499a4cfe64551a374008a6

SHA512
bb4d31c328100d9e654e9b363d338892e5688898db0e1563299d704d1cd3672970437bf645eea72cc81fa5ebcd242e04368ed5aa674272f91c7b395d07d71869

Download Submit
C:\Users\Admin\AppData\Local\eighmlruuteymeylulosqrwv.eed

Filesize
272B

MD5
584a71d7bcae85cc09f5cfcbfd78f717

SHA1
faea3741c72615d86f9abb86de0bd766d6bdcc29

SHA256
65a69a499dd98ee47bbad21cdafc12f18bff11c4c990219992410ea4d52e0c57

SHA512
c41fe89f130d39c075fd6af6485e98618723334834bc587f7aa260bb225d723fe0eec6b65e18a0798fd35390e728eeff9bfe1503241660a7f691a301a243315a

Download Submit
C:\Users\Admin\AppData\Local\nclxnxocnxtyxafdxznclxnxocnxtyxafdx.ncl

Filesize
3KB

MD5
859d2a8f7babae5a4105d8b2cd9ed76c

SHA1
78486fc47954bc90600a952a3fb97b073da2a293

SHA256
7c7b8b5beb1578710eabfc1537ac81e439a8702c4e8a97018f905b93e98f9be3

SHA512
3691c364ef271b56952ff8d2045cb7d33000e08c2c6d93123e4695b4cd697f43157066d03e1f037b0de0e1c31579e7fdd1a9f39e5a05b0aed825440ec32ef7b3

Download Submit
C:\Windows\SysWOW64\mgulgvrkapqaemwzyf.exe

Filesize
644KB

MD5
8c0afd40d1eaf4dbd91bacaf28849074

SHA1
2f40d165f1d3961237197f7e454b5fb52c74fad4

SHA256
16c93fc1a426856cff62d7a99f8ae5e41442222861a72ca0ede3ecbaf54642e8

SHA512
e0e54076624aa6f318401d6673f2cdba1aa1134bfe7d3bbcc557dc2aca9113189dcee4e06cbc99bec05cbebc3a5bf151f32904d737a2ef9335e35f69872b4097

Download Submit
C:\mwahsxjs.bat

Filesize
656KB

MD5
ee4bd091971db0b2fbeb4ff61565e2e1

SHA1
4a85ecd725fcadfd3d4a713ea04dc46b57607689

SHA256
e7615efe065ae17ccec55ecb9bf30682a74523c763f09981087fc74fe9777e19

SHA512
81366dbf77d32fd0b69062c47aef224b93351c7f87a96330383f76b35164739703205452b9104714fac36b78ac2d4103ddc729e4a5e0868e599be4bb77c0406a

Download Submit
\Users\Admin\AppData\Local\Temp\xaxybxpphkh.exe

Filesize
320KB

MD5
5203b6ea0901877fbf2d8d6f6d8d338e

SHA1
c803e92561921b38abe13239c1fd85605b570936

SHA256
0cc02d34d5fd4cf892fed282f98c1ad3e7dd6159a8877ae5c46d3f834ed36060

SHA512
d48a41b4fc4c38a6473f789c02918fb7353a4b4199768a3624f3b685d91d38519887a1ccd3616e0d2b079a346afaec5a0f2ef2c46d72d3097ef561cedb476471

Download Submit
\Users\Admin\AppData\Local\Temp\zghlt.exe

Filesize
704KB

MD5
3f9d790bf2d317c711f7a1c95c5c32e4

SHA1
f5deaa7f46d1695c8d817bf1743d06e074df6a17

SHA256
4884bbe74aa78083baa081b965ec2f59c51dbf2be5dd9ad430fb398f3c6e594d

SHA512
f3dd7ed785efa2c7e9534224e45a3e013be25c12a3cc80ee0928d6ecd8dab38c6c32bcdc66a0b7132cd0ed07dba3ec6e9cbe2858671de133d95763db79a3294d

Download Submit
memory/964-212-0x0000000004850000-0x0000000004851000-memory.dmp

Filesize
4KB

Download
memory/3064-274-0x0000000004800000-0x0000000004801000-memory.dmp

Filesize
4KB

Download