xmrig | 6c2b9d676113e66fdca2da62a77c30c44fa0a0866f44a24bdd57dfcb5e7c2206

Analysis

max time kernel
120s
max time network
138s
platform
windows7_x64
resource
win7-20240215-en
resource tags

arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system
submitted
26/04/2024, 11:50

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

00b343deb0296dc284079cb7d003c17a_JaffaCakes118.exe
Size

6.8MB
MD5

00b343deb0296dc284079cb7d003c17a
SHA1

92cfd278aaf47e3233e798eff544397e82ebd2c5
SHA256

6c2b9d676113e66fdca2da62a77c30c44fa0a0866f44a24bdd57dfcb5e7c2206
SHA512

0c633cea6dcd45fc0b4dccd11661aa467b3e09f4eef1ab6a605e3ff64940afe95d4bdf53f25e57514e966ec6b739900b512afc13353f0bae917a08f8679c8705
SSDEEP

49152:shw3DAcwLj0z1xuMofmJfbs924R3x4UJCjfleABOExwq5t/pm2tWDDxUmAk1odVm:sgkFM3DcH/J8vBO6x5tRm2tAUmA1btb2

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 6 IoCs

miner

resource	yara_rule
behavioral1/memory/1724-259-0x0000000000400000-0x00000000010B6000-memory.dmp	xmrig
behavioral1/memory/1724-383-0x0000000000400000-0x00000000010B6000-memory.dmp	xmrig
behavioral1/memory/1724-384-0x0000000000400000-0x00000000010B6000-memory.dmp	xmrig
behavioral1/memory/1724-805-0x0000000000400000-0x00000000010B6000-memory.dmp	xmrig
behavioral1/memory/1724-806-0x0000000000400000-0x00000000010B6000-memory.dmp	xmrig
behavioral1/memory/1724-819-0x0000000000400000-0x00000000010B6000-memory.dmp	xmrig

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1724-1-0x0000000000400000-0x00000000010B6000-memory.dmp	upx
behavioral1/memory/1724-259-0x0000000000400000-0x00000000010B6000-memory.dmp	upx
behavioral1/memory/1724-383-0x0000000000400000-0x00000000010B6000-memory.dmp	upx
behavioral1/memory/1724-384-0x0000000000400000-0x00000000010B6000-memory.dmp	upx
behavioral1/memory/1724-805-0x0000000000400000-0x00000000010B6000-memory.dmp	upx
behavioral1/memory/1724-806-0x0000000000400000-0x00000000010B6000-memory.dmp	upx
behavioral1/memory/1724-819-0x0000000000400000-0x00000000010B6000-memory.dmp	upx
behavioral1/memory/1724-821-0x0000000000400000-0x00000000010B6000-memory.dmp	upx

Drops file in Program Files directory 34 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	00b343deb0296dc284079cb7d003c17a_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	00b343deb0296dc284079cb7d003c17a_JaffaCakes118.exe
File created	C:\Program Files\7-Zip\Lang\be.txt.exe	00b343deb0296dc284079cb7d003c17a_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	00b343deb0296dc284079cb7d003c17a_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	00b343deb0296dc284079cb7d003c17a_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	00b343deb0296dc284079cb7d003c17a_JaffaCakes118.exe
File created	C:\Program Files\7-Zip\Lang\ast.txt.exe	00b343deb0296dc284079cb7d003c17a_JaffaCakes118.exe
File created	C:\Program Files\7-Zip\Lang\az.txt.exe	00b343deb0296dc284079cb7d003c17a_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	00b343deb0296dc284079cb7d003c17a_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	00b343deb0296dc284079cb7d003c17a_JaffaCakes118.exe
File created	C:\Program Files\7-Zip\7-zip.chm.exe	00b343deb0296dc284079cb7d003c17a_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\7-zip32.dll	00b343deb0296dc284079cb7d003c17a_JaffaCakes118.exe
File created	C:\Program Files\7-Zip\7z.dll.exe	00b343deb0296dc284079cb7d003c17a_JaffaCakes118.exe
File created	C:\Program Files\7-Zip\7zFM.exe.exe	00b343deb0296dc284079cb7d003c17a_JaffaCakes118.exe
File created	C:\Program Files\7-Zip\7zG.exe.exe	00b343deb0296dc284079cb7d003c17a_JaffaCakes118.exe
File created	C:\Program Files\7-Zip\7z.exe.exe	00b343deb0296dc284079cb7d003c17a_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	00b343deb0296dc284079cb7d003c17a_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	00b343deb0296dc284079cb7d003c17a_JaffaCakes118.exe
File created	C:\Program Files\7-Zip\Lang\ba.txt.exe	00b343deb0296dc284079cb7d003c17a_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	00b343deb0296dc284079cb7d003c17a_JaffaCakes118.exe
File created	C:\Program Files\7-Zip\Lang\af.txt.exe	00b343deb0296dc284079cb7d003c17a_JaffaCakes118.exe
File created	C:\Program Files\7-Zip\7-zip.dll	00b343deb0296dc284079cb7d003c17a_JaffaCakes118.exe
File created	C:\Program Files\7-Zip\7-zip.dll.exe	00b343deb0296dc284079cb7d003c17a_JaffaCakes118.exe
File created	C:\Program Files\7-Zip\7-zip32.dll.exe	00b343deb0296dc284079cb7d003c17a_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\7z.dll	00b343deb0296dc284079cb7d003c17a_JaffaCakes118.exe
File created	C:\Program Files\7-Zip\7z.sfx.exe	00b343deb0296dc284079cb7d003c17a_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	00b343deb0296dc284079cb7d003c17a_JaffaCakes118.exe
File created	C:\Program Files\7-Zip\7zCon.sfx.exe	00b343deb0296dc284079cb7d003c17a_JaffaCakes118.exe
File created	C:\Program Files\7-Zip\History.txt.exe	00b343deb0296dc284079cb7d003c17a_JaffaCakes118.exe
File created	C:\Program Files\7-Zip\Lang\an.txt.exe	00b343deb0296dc284079cb7d003c17a_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	00b343deb0296dc284079cb7d003c17a_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	00b343deb0296dc284079cb7d003c17a_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	00b343deb0296dc284079cb7d003c17a_JaffaCakes118.exe
File created	C:\Program Files\7-Zip\Lang\ar.txt.exe	00b343deb0296dc284079cb7d003c17a_JaffaCakes118.exe

Modifies system certificate store 2 TTPs 10 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	00b343deb0296dc284079cb7d003c17a_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 040000000100000010000000324a4bbbc863699bbe749ac6dd1d46240f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a190000000100000010000000fd960962ac6938e0d4b0769aa1a64e262000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	00b343deb0296dc284079cb7d003c17a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	00b343deb0296dc284079cb7d003c17a_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	00b343deb0296dc284079cb7d003c17a_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	00b343deb0296dc284079cb7d003c17a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	00b343deb0296dc284079cb7d003c17a_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 0f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	00b343deb0296dc284079cb7d003c17a_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 19000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca61d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e4090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a92000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	00b343deb0296dc284079cb7d003c17a_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	00b343deb0296dc284079cb7d003c17a_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	00b343deb0296dc284079cb7d003c17a_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1724	00b343deb0296dc284079cb7d003c17a_JaffaCakes118.exe
Token: SeLockMemoryPrivilege	1724	00b343deb0296dc284079cb7d003c17a_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\00b343deb0296dc284079cb7d003c17a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\00b343deb0296dc284079cb7d003c17a_JaffaCakes118.exe"
1⤵
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
f14ecf20659d86ff6650b76c79fd910a

SHA1
7916c42e9ed9c2a08bcf0bc59848a99628e1ce15

SHA256
8fa24ec1f6ba71370c3bcfc2902948ecb4d21bbe566bef2fdfc841ef70421450

SHA512
ee3b5211e1ae80c85962b68a570ecc8722f73a80e810f9303ae0a6327b455875b1d1dcd962b5b44f5a3a59a2d6ca98f06da32ddf07709ac3a505ac8f43e18ad9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a7ffb968e40420a55baa2123ab38e001

SHA1
913a2d390a102ee6543c91866d903091fd71b7b8

SHA256
965bb62a6bd9a66a5e14808ce79320606405b6f7a76503c821d2646aaf75df93

SHA512
9c0c0ed5a85cb241763b18e8d01a90108efed7cef2cd542898323cd230173aa1836c09e6b1aa45693bacb6bbdab21a34471ea3d25e17f534ab8f8fa91e57dba4

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7f7c21b97923a71068f12c40de47a555

SHA1
911f715087a1bb0fa61b714ec49b1bfab12f675a

SHA256
5c197c222300118e543a44fa189b8c52f1d535f61386dfdcc121d9cb8d449172

SHA512
e600e0804c379b981e84d6f5d8a708707a61a4875aa981433faff723233f55e6ea0e4e1d89f1c6f03513d01704408b3c2e43f7d185c33f6e645a461ce0197404

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
163230bd62b67d0a4651734d677208b1

SHA1
2a79ba2621928a1448812ee090888e4862db73d7

SHA256
ff0909faf247e9fe9bd207e88bd2c35b1b76d3ee0ac5fd32bb908ef5cd75c577

SHA512
7d5f43d4b74a0603de7b637a51172c89e58167dd65201282552f2bf5086fe84698a7248bf736a9d402cfabeeb8fe23611a0e8ebd8ffb8af9e7d665e4c8f36ff9

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab2010.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2061.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2171.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
memory/1724-805-0x0000000000400000-0x00000000010B6000-memory.dmp

Filesize
12.7MB

Download
memory/1724-811-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/1724-259-0x0000000000400000-0x00000000010B6000-memory.dmp

Filesize
12.7MB

Download
memory/1724-383-0x0000000000400000-0x00000000010B6000-memory.dmp

Filesize
12.7MB

Download
memory/1724-384-0x0000000000400000-0x00000000010B6000-memory.dmp

Filesize
12.7MB

Download
memory/1724-0-0x00000000002E0000-0x00000000002F0000-memory.dmp

Filesize
64KB

Download
memory/1724-806-0x0000000000400000-0x00000000010B6000-memory.dmp

Filesize
12.7MB

Download
memory/1724-809-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1724-810-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/1724-1-0x0000000000400000-0x00000000010B6000-memory.dmp

Filesize
12.7MB

Download
memory/1724-812-0x00000000002F0000-0x0000000000330000-memory.dmp

Filesize
256KB

Download
memory/1724-813-0x0000000000330000-0x0000000000352000-memory.dmp

Filesize
136KB

Download
memory/1724-814-0x0000000000360000-0x0000000000370000-memory.dmp

Filesize
64KB

Download
memory/1724-815-0x0000000000370000-0x0000000000380000-memory.dmp

Filesize
64KB

Download
memory/1724-816-0x0000000000380000-0x0000000000390000-memory.dmp

Filesize
64KB

Download
memory/1724-817-0x00000000003B0000-0x00000000003F0000-memory.dmp

Filesize
256KB

Download
memory/1724-818-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/1724-819-0x0000000000400000-0x00000000010B6000-memory.dmp

Filesize
12.7MB

Download
memory/1724-820-0x0000000004400000-0x0000000004401000-memory.dmp

Filesize
4KB

Download
memory/1724-821-0x0000000000400000-0x00000000010B6000-memory.dmp

Filesize
12.7MB

Download