2278173e5e1a188648cfbdc28969d3498f07b02faeee9d5c9d238cfec1c9a7f4

Virtualization/Sandbox Evasion

T1497

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\ACPI\DSDT\VBOX__	fdade656dbe21b750af957159863c56d_JaffaCakes118.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4084619521-2220719027-1909462854-1000\Control Panel\International\Geo\Nation	fdade656dbe21b750af957159863c56d_JaffaCakes118.exe

Executes dropped EXE 1 IoCs

pid	Process
3560	s584.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\Desktop.ini	s584.exe
File created	C:\Windows\assembly\Desktop.ini	s584.exe

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	s584.exe
File created	C:\Windows\assembly\Desktop.ini	s584.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	s584.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

System Information Discovery

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	dw20.exe
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0	dw20.exe

Enumerates system info in registry 2 TTPs 4 IoCs

Query Registry

System Information Discovery

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Hardware\Description\System\BIOS	dw20.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU	dw20.exe
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS	fdade656dbe21b750af957159863c56d_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemManufacturer	fdade656dbe21b750af957159863c56d_JaffaCakes118.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 5c000000010000000400000000080000190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d03000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b816800000001000000000000007e000000010000000800000000c0032f2df8d6010b000000010000000e00000074006800610077007400650000001d00000001000000100000005b3b67000eeb80022e42605b6b3b72401400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748506200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f53000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703010f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce0400000001000000100000008ccadc0b22cef5be72ac411a11a8d8122000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	s584.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B94294BF91EA8FB64BE61097C7FB001359B676CB\Blob = 1900000001000000100000002ee0c890fdcb0441fa180c6834858995030000000100000014000000b94294bf91ea8fb64be61097c7fb001359b676cb68000000010000000800000000800c13c1b9d4017e000000010000000800000000c00c0f7f39d3010b000000010000000e00000057006f005300690067006e0000001d000000010000001000000051541f96c328dd7ac3ef2bdce753ac47140000000100000014000000e166cf0ed1f1b34bb7062014fe8712d5f6fefb3e6200000001000000200000004b22d5a6aec99f3cdb79aa5ec06838479cd5ecba7164f7f22dc1d65f63d857085300000001000000230000003021301f06092b06010401829b510230123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080f000000010000001400000044cb4357ecb773b9ac3a3b0b1e45ab6bc45c2f1c20000000010000007a050000308205763082035ea00302010202105e68d61171946350560068f33ec9c591300d06092a864886f70d01010505003055310b300906035504061302434e311a3018060355040a1311576f5369676e204341204c696d69746564312a30280603550403132143657274696669636174696f6e20417574686f72697479206f6620576f5369676e301e170d3039303830383031303030315a170d3339303830383031303030315a3055310b300906035504061302434e311a3018060355040a1311576f5369676e204341204c696d69746564312a30280603550403132143657274696669636174696f6e20417574686f72697479206f6620576f5369676e30820222300d06092a864886f70d01010105000382020f003082020a0282020100bdca8dacb8911556977b6b5c7ac2de6bd9a1b0c31023faa7a1b2cc31fa3ed9a6296f163de06bf8b8405fdb39a8007a8ba04d547dc22278fc8e09b8a885d7cc95974b74d89e7ef000e40e89ae4928441a1099320f258853a40db30f1208160b0371271c7fe1dbd2fd6768c4055d0a0e5d70d7d897a0bc53419a918df49e36667a7e56c1905fe6b1682036a48c242c2c470b59766630b5bedeed8ff89dd3bb0130e6f2f30ee02c9280f385f9288ab4542e9aedf776fc156816eb4a6ceb2e128fd4cffe0cc75c1d0b7e0532be5eb0092a42d5c94e90b3590dbb7a7ecdd5085ab47fd81c6911f9270f7b06af5483187be1dd547a51686e77fcc6bf524a6646a1b2671abba34f77a0be5dfffc560b43727790ca9ef9f239f50da9f4ead7e7b3102f30423721cc3070c986980fcc584d83bb7de51aa5378db6ac3297003a6371241e9e37c4ff74d437c0e2fe88466011dd083f5036abb87aa495626a6eb0ca6a215a69f3f3fb1d703995f3a76ea68189a188c53b71caa352ee83bbfda077f4e46fe742db6d4a998a3448bc17dce4800822b6f231c03f043eeb9f2079d6b80664640231d7a9cd52fb84456909002adc558bc406464bc04a1d095b3928fda9abce00f92e484b26e6304ca558cab444824fe7911e33c3b093ff11fc81d2ca1f7129dd764f9225af1d81b70f2f8cc306cc2f27a34ae40e99ba7c1e451f7faa194596fdfc3d0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414e166cf0ed1f1b34bb7062014fe8712d5f6fefb3e300d06092a864886f70d01010505000382020100a8cb7240b276c17e7bfcad64e3327bcc3cb65d46d3f52ce2705dc82ed8067d98d10b21a0895924019df9af097d0a238234d5fc7c7299b9a3d754f4ea52700ec5f5d63be13a0932e6213993bdb315ea4f6af4f58b3f2f7c8d582ec5e139a03ec73d4a739e407ac02b61a967c9f324b9b36d552c5a1d9e2572ce0badaac755620bbefb63b3614423a3cbe11a0ef79a064dded4234e21965b395b571d2f5d085e0979ff7c97b54d83ae0dd6e6a379e033d099960230a73effd2a3433f055a06ea4402da7cf848d033a9f907c795e1f53ef55d71baf295a974886159e3bfca5a13ba72b48c5d3687e9a6c53c13bfded04426eeb7ec2e70fad79db7ace5c5405ae6d76c7b2cc3569b47cd0bcefa1bb421d7b766b8f425308b5c0db9ea67b2f46daed5a19e4fd89fe92702b01d06d68fe3fb48129f7f11a1103e4c513a96b0d113f1c7d826ae3aca91c4699ddf012964516f68da14ec084197908dd0b280f2cfc23dbf9168c580671ec4601355d56199577cba950f61493aca75bcc90a933f670e12f228e2311bc05716df087c19c17e0f1f851e0a367c5b7e27bc7abfe0dbf4da52bdde0c547031914395c8bcf03edd097e306450ed7f01a433674d684fbe15efb0f60211a21b13253adcc259f1e35c46bb672c0246ea1e48a6e65bd9b5bc51a29296dbaac63722a6fecc2074a32da92e6bcbc0821121b59379ee4486bed71ee41efb	s584.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B94294BF91EA8FB64BE61097C7FB001359B676CB\Blob = 040000000100000010000000a1f2f9b5d2c87a74b8f305f1d7e1848d0f000000010000001400000044cb4357ecb773b9ac3a3b0b1e45ab6bc45c2f1c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703085300000001000000230000003021301f06092b06010401829b510230123010060a2b0601040182373c0101030200c06200000001000000200000004b22d5a6aec99f3cdb79aa5ec06838479cd5ecba7164f7f22dc1d65f63d85708140000000100000014000000e166cf0ed1f1b34bb7062014fe8712d5f6fefb3e1d000000010000001000000051541f96c328dd7ac3ef2bdce753ac470b000000010000000e00000057006f005300690067006e0000007e000000010000000800000000c00c0f7f39d30168000000010000000800000000800c13c1b9d401030000000100000014000000b94294bf91ea8fb64be61097c7fb001359b676cb1900000001000000100000002ee0c890fdcb0441fa180c683485899520000000010000007a050000308205763082035ea00302010202105e68d61171946350560068f33ec9c591300d06092a864886f70d01010505003055310b300906035504061302434e311a3018060355040a1311576f5369676e204341204c696d69746564312a30280603550403132143657274696669636174696f6e20417574686f72697479206f6620576f5369676e301e170d3039303830383031303030315a170d3339303830383031303030315a3055310b300906035504061302434e311a3018060355040a1311576f5369676e204341204c696d69746564312a30280603550403132143657274696669636174696f6e20417574686f72697479206f6620576f5369676e30820222300d06092a864886f70d01010105000382020f003082020a0282020100bdca8dacb8911556977b6b5c7ac2de6bd9a1b0c31023faa7a1b2cc31fa3ed9a6296f163de06bf8b8405fdb39a8007a8ba04d547dc22278fc8e09b8a885d7cc95974b74d89e7ef000e40e89ae4928441a1099320f258853a40db30f1208160b0371271c7fe1dbd2fd6768c4055d0a0e5d70d7d897a0bc53419a918df49e36667a7e56c1905fe6b1682036a48c242c2c470b59766630b5bedeed8ff89dd3bb0130e6f2f30ee02c9280f385f9288ab4542e9aedf776fc156816eb4a6ceb2e128fd4cffe0cc75c1d0b7e0532be5eb0092a42d5c94e90b3590dbb7a7ecdd5085ab47fd81c6911f9270f7b06af5483187be1dd547a51686e77fcc6bf524a6646a1b2671abba34f77a0be5dfffc560b43727790ca9ef9f239f50da9f4ead7e7b3102f30423721cc3070c986980fcc584d83bb7de51aa5378db6ac3297003a6371241e9e37c4ff74d437c0e2fe88466011dd083f5036abb87aa495626a6eb0ca6a215a69f3f3fb1d703995f3a76ea68189a188c53b71caa352ee83bbfda077f4e46fe742db6d4a998a3448bc17dce4800822b6f231c03f043eeb9f2079d6b80664640231d7a9cd52fb84456909002adc558bc406464bc04a1d095b3928fda9abce00f92e484b26e6304ca558cab444824fe7911e33c3b093ff11fc81d2ca1f7129dd764f9225af1d81b70f2f8cc306cc2f27a34ae40e99ba7c1e451f7faa194596fdfc3d0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414e166cf0ed1f1b34bb7062014fe8712d5f6fefb3e300d06092a864886f70d01010505000382020100a8cb7240b276c17e7bfcad64e3327bcc3cb65d46d3f52ce2705dc82ed8067d98d10b21a0895924019df9af097d0a238234d5fc7c7299b9a3d754f4ea52700ec5f5d63be13a0932e6213993bdb315ea4f6af4f58b3f2f7c8d582ec5e139a03ec73d4a739e407ac02b61a967c9f324b9b36d552c5a1d9e2572ce0badaac755620bbefb63b3614423a3cbe11a0ef79a064dded4234e21965b395b571d2f5d085e0979ff7c97b54d83ae0dd6e6a379e033d099960230a73effd2a3433f055a06ea4402da7cf848d033a9f907c795e1f53ef55d71baf295a974886159e3bfca5a13ba72b48c5d3687e9a6c53c13bfded04426eeb7ec2e70fad79db7ace5c5405ae6d76c7b2cc3569b47cd0bcefa1bb421d7b766b8f425308b5c0db9ea67b2f46daed5a19e4fd89fe92702b01d06d68fe3fb48129f7f11a1103e4c513a96b0d113f1c7d826ae3aca91c4699ddf012964516f68da14ec084197908dd0b280f2cfc23dbf9168c580671ec4601355d56199577cba950f61493aca75bcc90a933f670e12f228e2311bc05716df087c19c17e0f1f851e0a367c5b7e27bc7abfe0dbf4da52bdde0c547031914395c8bcf03edd097e306450ed7f01a433674d684fbe15efb0f60211a21b13253adcc259f1e35c46bb672c0246ea1e48a6e65bd9b5bc51a29296dbaac63722a6fecc2074a32da92e6bcbc0821121b59379ee4486bed71ee41efb	s584.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B94294BF91EA8FB64BE61097C7FB001359B676CB\Blob = 5c0000000100000004000000001000001900000001000000100000002ee0c890fdcb0441fa180c6834858995030000000100000014000000b94294bf91ea8fb64be61097c7fb001359b676cb68000000010000000800000000800c13c1b9d4017e000000010000000800000000c00c0f7f39d3010b000000010000000e00000057006f005300690067006e0000001d000000010000001000000051541f96c328dd7ac3ef2bdce753ac47140000000100000014000000e166cf0ed1f1b34bb7062014fe8712d5f6fefb3e6200000001000000200000004b22d5a6aec99f3cdb79aa5ec06838479cd5ecba7164f7f22dc1d65f63d857085300000001000000230000003021301f06092b06010401829b510230123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703080f000000010000001400000044cb4357ecb773b9ac3a3b0b1e45ab6bc45c2f1c040000000100000010000000a1f2f9b5d2c87a74b8f305f1d7e1848d20000000010000007a050000308205763082035ea00302010202105e68d61171946350560068f33ec9c591300d06092a864886f70d01010505003055310b300906035504061302434e311a3018060355040a1311576f5369676e204341204c696d69746564312a30280603550403132143657274696669636174696f6e20417574686f72697479206f6620576f5369676e301e170d3039303830383031303030315a170d3339303830383031303030315a3055310b300906035504061302434e311a3018060355040a1311576f5369676e204341204c696d69746564312a30280603550403132143657274696669636174696f6e20417574686f72697479206f6620576f5369676e30820222300d06092a864886f70d01010105000382020f003082020a0282020100bdca8dacb8911556977b6b5c7ac2de6bd9a1b0c31023faa7a1b2cc31fa3ed9a6296f163de06bf8b8405fdb39a8007a8ba04d547dc22278fc8e09b8a885d7cc95974b74d89e7ef000e40e89ae4928441a1099320f258853a40db30f1208160b0371271c7fe1dbd2fd6768c4055d0a0e5d70d7d897a0bc53419a918df49e36667a7e56c1905fe6b1682036a48c242c2c470b59766630b5bedeed8ff89dd3bb0130e6f2f30ee02c9280f385f9288ab4542e9aedf776fc156816eb4a6ceb2e128fd4cffe0cc75c1d0b7e0532be5eb0092a42d5c94e90b3590dbb7a7ecdd5085ab47fd81c6911f9270f7b06af5483187be1dd547a51686e77fcc6bf524a6646a1b2671abba34f77a0be5dfffc560b43727790ca9ef9f239f50da9f4ead7e7b3102f30423721cc3070c986980fcc584d83bb7de51aa5378db6ac3297003a6371241e9e37c4ff74d437c0e2fe88466011dd083f5036abb87aa495626a6eb0ca6a215a69f3f3fb1d703995f3a76ea68189a188c53b71caa352ee83bbfda077f4e46fe742db6d4a998a3448bc17dce4800822b6f231c03f043eeb9f2079d6b80664640231d7a9cd52fb84456909002adc558bc406464bc04a1d095b3928fda9abce00f92e484b26e6304ca558cab444824fe7911e33c3b093ff11fc81d2ca1f7129dd764f9225af1d81b70f2f8cc306cc2f27a34ae40e99ba7c1e451f7faa194596fdfc3d0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414e166cf0ed1f1b34bb7062014fe8712d5f6fefb3e300d06092a864886f70d01010505000382020100a8cb7240b276c17e7bfcad64e3327bcc3cb65d46d3f52ce2705dc82ed8067d98d10b21a0895924019df9af097d0a238234d5fc7c7299b9a3d754f4ea52700ec5f5d63be13a0932e6213993bdb315ea4f6af4f58b3f2f7c8d582ec5e139a03ec73d4a739e407ac02b61a967c9f324b9b36d552c5a1d9e2572ce0badaac755620bbefb63b3614423a3cbe11a0ef79a064dded4234e21965b395b571d2f5d085e0979ff7c97b54d83ae0dd6e6a379e033d099960230a73effd2a3433f055a06ea4402da7cf848d033a9f907c795e1f53ef55d71baf295a974886159e3bfca5a13ba72b48c5d3687e9a6c53c13bfded04426eeb7ec2e70fad79db7ace5c5405ae6d76c7b2cc3569b47cd0bcefa1bb421d7b766b8f425308b5c0db9ea67b2f46daed5a19e4fd89fe92702b01d06d68fe3fb48129f7f11a1103e4c513a96b0d113f1c7d826ae3aca91c4699ddf012964516f68da14ec084197908dd0b280f2cfc23dbf9168c580671ec4601355d56199577cba950f61493aca75bcc90a933f670e12f228e2311bc05716df087c19c17e0f1f851e0a367c5b7e27bc7abfe0dbf4da52bdde0c547031914395c8bcf03edd097e306450ed7f01a433674d684fbe15efb0f60211a21b13253adcc259f1e35c46bb672c0246ea1e48a6e65bd9b5bc51a29296dbaac63722a6fecc2074a32da92e6bcbc0821121b59379ee4486bed71ee41efb	s584.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B94294BF91EA8FB64BE61097C7FB001359B676CB	s584.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\B94294BF91EA8FB64BE61097C7FB001359B676CB\Blob = 0f000000010000001400000044cb4357ecb773b9ac3a3b0b1e45ab6bc45c2f1c090000000100000034000000303206082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030106082b060105050703085300000001000000230000003021301f06092b06010401829b510230123010060a2b0601040182373c0101030200c06200000001000000200000004b22d5a6aec99f3cdb79aa5ec06838479cd5ecba7164f7f22dc1d65f63d85708140000000100000014000000e166cf0ed1f1b34bb7062014fe8712d5f6fefb3e1d000000010000001000000051541f96c328dd7ac3ef2bdce753ac470b000000010000000e00000057006f005300690067006e0000007e000000010000000800000000c00c0f7f39d30168000000010000000800000000800c13c1b9d401030000000100000014000000b94294bf91ea8fb64be61097c7fb001359b676cb20000000010000007a050000308205763082035ea00302010202105e68d61171946350560068f33ec9c591300d06092a864886f70d01010505003055310b300906035504061302434e311a3018060355040a1311576f5369676e204341204c696d69746564312a30280603550403132143657274696669636174696f6e20417574686f72697479206f6620576f5369676e301e170d3039303830383031303030315a170d3339303830383031303030315a3055310b300906035504061302434e311a3018060355040a1311576f5369676e204341204c696d69746564312a30280603550403132143657274696669636174696f6e20417574686f72697479206f6620576f5369676e30820222300d06092a864886f70d01010105000382020f003082020a0282020100bdca8dacb8911556977b6b5c7ac2de6bd9a1b0c31023faa7a1b2cc31fa3ed9a6296f163de06bf8b8405fdb39a8007a8ba04d547dc22278fc8e09b8a885d7cc95974b74d89e7ef000e40e89ae4928441a1099320f258853a40db30f1208160b0371271c7fe1dbd2fd6768c4055d0a0e5d70d7d897a0bc53419a918df49e36667a7e56c1905fe6b1682036a48c242c2c470b59766630b5bedeed8ff89dd3bb0130e6f2f30ee02c9280f385f9288ab4542e9aedf776fc156816eb4a6ceb2e128fd4cffe0cc75c1d0b7e0532be5eb0092a42d5c94e90b3590dbb7a7ecdd5085ab47fd81c6911f9270f7b06af5483187be1dd547a51686e77fcc6bf524a6646a1b2671abba34f77a0be5dfffc560b43727790ca9ef9f239f50da9f4ead7e7b3102f30423721cc3070c986980fcc584d83bb7de51aa5378db6ac3297003a6371241e9e37c4ff74d437c0e2fe88466011dd083f5036abb87aa495626a6eb0ca6a215a69f3f3fb1d703995f3a76ea68189a188c53b71caa352ee83bbfda077f4e46fe742db6d4a998a3448bc17dce4800822b6f231c03f043eeb9f2079d6b80664640231d7a9cd52fb84456909002adc558bc406464bc04a1d095b3928fda9abce00f92e484b26e6304ca558cab444824fe7911e33c3b093ff11fc81d2ca1f7129dd764f9225af1d81b70f2f8cc306cc2f27a34ae40e99ba7c1e451f7faa194596fdfc3d0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e04160414e166cf0ed1f1b34bb7062014fe8712d5f6fefb3e300d06092a864886f70d01010505000382020100a8cb7240b276c17e7bfcad64e3327bcc3cb65d46d3f52ce2705dc82ed8067d98d10b21a0895924019df9af097d0a238234d5fc7c7299b9a3d754f4ea52700ec5f5d63be13a0932e6213993bdb315ea4f6af4f58b3f2f7c8d582ec5e139a03ec73d4a739e407ac02b61a967c9f324b9b36d552c5a1d9e2572ce0badaac755620bbefb63b3614423a3cbe11a0ef79a064dded4234e21965b395b571d2f5d085e0979ff7c97b54d83ae0dd6e6a379e033d099960230a73effd2a3433f055a06ea4402da7cf848d033a9f907c795e1f53ef55d71baf295a974886159e3bfca5a13ba72b48c5d3687e9a6c53c13bfded04426eeb7ec2e70fad79db7ace5c5405ae6d76c7b2cc3569b47cd0bcefa1bb421d7b766b8f425308b5c0db9ea67b2f46daed5a19e4fd89fe92702b01d06d68fe3fb48129f7f11a1103e4c513a96b0d113f1c7d826ae3aca91c4699ddf012964516f68da14ec084197908dd0b280f2cfc23dbf9168c580671ec4601355d56199577cba950f61493aca75bcc90a933f670e12f228e2311bc05716df087c19c17e0f1f851e0a367c5b7e27bc7abfe0dbf4da52bdde0c547031914395c8bcf03edd097e306450ed7f01a433674d684fbe15efb0f60211a21b13253adcc259f1e35c46bb672c0246ea1e48a6e65bd9b5bc51a29296dbaac63722a6fecc2074a32da92e6bcbc0821121b59379ee4486bed71ee41efb	s584.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81	s584.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0400000001000000100000008ccadc0b22cef5be72ac411a11a8d8120f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce7f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c06200000001000000200000008d722f81a9c113c0791df136a2966db26c950a971db46b4199f4ea54b78bfb9f1400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e00000074006800610077007400650000007e000000010000000800000000c0032f2df8d60168000000010000000000000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b81190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	s584.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
4332	fdade656dbe21b750af957159863c56d_JaffaCakes118.exe
4332	fdade656dbe21b750af957159863c56d_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeBackupPrivilege	2924	dw20.exe
Token: SeBackupPrivilege	2924	dw20.exe

Suspicious use of WriteProcessMemory 4 IoCs

description	pid	Process	procid_target
PID 4332 wrote to memory of 3560	4332	fdade656dbe21b750af957159863c56d_JaffaCakes118.exe	86
PID 4332 wrote to memory of 3560	4332	fdade656dbe21b750af957159863c56d_JaffaCakes118.exe	86
PID 3560 wrote to memory of 2924	3560	s584.exe	98
PID 3560 wrote to memory of 2924	3560	s584.exe	98

C:\Users\Admin\AppData\Local\Temp\fdade656dbe21b750af957159863c56d_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\fdade656dbe21b750af957159863c56d_JaffaCakes118.exe"
1⤵
- Identifies VirtualBox via ACPI registry values (likely anti-VM)
- Checks computer location settings
- Enumerates system info in registry
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4332
- C:\Users\Admin\AppData\Local\Temp\n584\s584.exe
  "C:\Users\Admin\AppData\Local\Temp\n584\s584.exe" 631a9454357e7bb4b9a77595xbyDmQYLpcALvBIqN9SEVAfK5EYa/6o4OV/kQtXP3nbEbwbbTZBSGpW7mJgYr8+Eg7Nx97wLCllTtLEe6AQUZtiwVgod4Khid8nGH0IQSKPKHvm9zCQGMBJomf3W/hznoqgSWUBfDHCJl60jHliOIF5FAtT6NLqkQpJGmZs= /v "C:\Users\Admin\AppData\Local\Temp\fdade656dbe21b750af957159863c56d_JaffaCakes118.exe"
  2⤵
  - Executes dropped EXE
  - Drops desktop.ini file(s)
  - Drops file in Windows directory
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:3560
- - C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
    dw20.exe -x -s 1956
    3⤵
    - Checks processor information in registry
    - Enumerates system info in registry
    - Suspicious use of AdjustPrivilegeToken
    PID:2924

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Discovery

Query Registry

4

System Information Discovery

4

Virtualization/Sandbox Evasion