xmrig | 48a5dd4f19318e47e5316e29629a6bb3f4d0613fb0f54ce58a409f8a46d0d548

Analysis

max time kernel
141s
max time network
138s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
30/04/2024, 18:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

0a4f561363f0bae19ade6bf4c2703eb0_JaffaCakes118.exe
Size

7.3MB
MD5

0a4f561363f0bae19ade6bf4c2703eb0
SHA1

01b3c08dbde0e7812eec213a4a3516c5e488808c
SHA256

48a5dd4f19318e47e5316e29629a6bb3f4d0613fb0f54ce58a409f8a46d0d548
SHA512

15c768c0cb2190c62cba93a32104e30e690189adafc88b69a7f6e264e66693d7939499af5f29314811ba80c5dde93a27ba495a2187ffbef2b2f6e676b7d46526
SSDEEP

98304:JGxVzrQ6viczbMAIgXSYn0UL2AzZfzpvLhpLB1uV9+S99U:JMVzs6qczbJXSYnZFZbpvbLB10n99U

Score

10^/10

xmrig miner upx

Malware Config

Signatures

xmrig
XMRig is a high performance, open source, cross platform CPU/GPU miner.
miner xmrig

XMRig Miner payload 6 IoCs

miner

resource	yara_rule
behavioral1/memory/1724-381-0x0000000000400000-0x00000000010B6000-memory.dmp	xmrig
behavioral1/memory/1724-862-0x0000000000400000-0x00000000010B6000-memory.dmp	xmrig
behavioral1/memory/1724-863-0x0000000000400000-0x00000000010B6000-memory.dmp	xmrig
behavioral1/memory/1724-864-0x0000000000400000-0x00000000010B6000-memory.dmp	xmrig
behavioral1/memory/1724-927-0x0000000000400000-0x00000000010B6000-memory.dmp	xmrig
behavioral1/memory/1724-1062-0x0000000000400000-0x00000000010B6000-memory.dmp	xmrig

UPX packed file 8 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/1724-0-0x0000000000400000-0x00000000010B6000-memory.dmp	upx
behavioral1/memory/1724-381-0x0000000000400000-0x00000000010B6000-memory.dmp	upx
behavioral1/memory/1724-862-0x0000000000400000-0x00000000010B6000-memory.dmp	upx
behavioral1/memory/1724-863-0x0000000000400000-0x00000000010B6000-memory.dmp	upx
behavioral1/memory/1724-864-0x0000000000400000-0x00000000010B6000-memory.dmp	upx
behavioral1/memory/1724-927-0x0000000000400000-0x00000000010B6000-memory.dmp	upx
behavioral1/memory/1724-1062-0x0000000000400000-0x00000000010B6000-memory.dmp	upx
behavioral1/memory/1724-1064-0x0000000000400000-0x00000000010B6000-memory.dmp	upx

Legitimate hosting services abused for malware hosting/C2 1 TTPs 4 IoCs

Web Service

T1102

flow	ioc
57	raw.githubusercontent.com
58	raw.githubusercontent.com
79	drive.google.com
80	drive.google.com

Drops autorun.inf file 1 TTPs 3 IoCs

Malware can abuse Windows Autorun to spread further via attached volumes.

Replication Through Removable Media

T1091

description	ioc	Process
File created	D:\autorun.inf	0a4f561363f0bae19ade6bf4c2703eb0_JaffaCakes118.exe
File created	F:\autorun.inf	0a4f561363f0bae19ade6bf4c2703eb0_JaffaCakes118.exe
File opened for modification	F:\autorun.inf	0a4f561363f0bae19ade6bf4c2703eb0_JaffaCakes118.exe

Drops file in Program Files directory 40 IoCs

description	ioc	Process
File created	C:\Program Files\7-Zip\7-zip.dll	0a4f561363f0bae19ade6bf4c2703eb0_JaffaCakes118.exe
File created	C:\Program Files\7-Zip\7zG.exe.exe	0a4f561363f0bae19ade6bf4c2703eb0_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Lang\af.txt	0a4f561363f0bae19ade6bf4c2703eb0_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Lang\an.txt	0a4f561363f0bae19ade6bf4c2703eb0_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ast.txt	0a4f561363f0bae19ade6bf4c2703eb0_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Lang\az.txt	0a4f561363f0bae19ade6bf4c2703eb0_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bn.txt	0a4f561363f0bae19ade6bf4c2703eb0_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Lang\br.txt	0a4f561363f0bae19ade6bf4c2703eb0_JaffaCakes118.exe
File created	C:\Program Files\7-Zip\7-zip.chm.exe	0a4f561363f0bae19ade6bf4c2703eb0_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\History.txt	0a4f561363f0bae19ade6bf4c2703eb0_JaffaCakes118.exe
File created	C:\Program Files\7-Zip\Lang\af.txt.exe	0a4f561363f0bae19ade6bf4c2703eb0_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ar.txt	0a4f561363f0bae19ade6bf4c2703eb0_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Lang\be.txt	0a4f561363f0bae19ade6bf4c2703eb0_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\7z.exe	0a4f561363f0bae19ade6bf4c2703eb0_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\7-zip.chm	0a4f561363f0bae19ade6bf4c2703eb0_JaffaCakes118.exe
File created	C:\Program Files\7-Zip\7-zip32.dll.exe	0a4f561363f0bae19ade6bf4c2703eb0_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\7zCon.sfx	0a4f561363f0bae19ade6bf4c2703eb0_JaffaCakes118.exe
File created	C:\Program Files\7-Zip\7zCon.sfx.exe	0a4f561363f0bae19ade6bf4c2703eb0_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\7zFM.exe	0a4f561363f0bae19ade6bf4c2703eb0_JaffaCakes118.exe
File created	C:\Program Files\7-Zip\History.txt.exe	0a4f561363f0bae19ade6bf4c2703eb0_JaffaCakes118.exe
File created	C:\Program Files\7-Zip\Lang\ast.txt.exe	0a4f561363f0bae19ade6bf4c2703eb0_JaffaCakes118.exe
File created	C:\Program Files\7-Zip\Lang\ba.txt.exe	0a4f561363f0bae19ade6bf4c2703eb0_JaffaCakes118.exe
File created	C:\Program Files\7-Zip\Lang\be.txt.exe	0a4f561363f0bae19ade6bf4c2703eb0_JaffaCakes118.exe
File created	C:\Program Files\7-Zip\Lang\bn.txt.exe	0a4f561363f0bae19ade6bf4c2703eb0_JaffaCakes118.exe
File created	C:\Program Files\7-Zip\Lang\br.txt.exe	0a4f561363f0bae19ade6bf4c2703eb0_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\7zG.exe	0a4f561363f0bae19ade6bf4c2703eb0_JaffaCakes118.exe
File created	C:\Program Files\7-Zip\Lang\an.txt.exe	0a4f561363f0bae19ade6bf4c2703eb0_JaffaCakes118.exe
File created	C:\Program Files\7-Zip\Lang\az.txt.exe	0a4f561363f0bae19ade6bf4c2703eb0_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Lang\bg.txt	0a4f561363f0bae19ade6bf4c2703eb0_JaffaCakes118.exe
File created	C:\Program Files\7-Zip\7z.dll.exe	0a4f561363f0bae19ade6bf4c2703eb0_JaffaCakes118.exe
File created	C:\Program Files\7-Zip\7z.exe.exe	0a4f561363f0bae19ade6bf4c2703eb0_JaffaCakes118.exe
File created	C:\Program Files\7-Zip\7z.sfx.exe	0a4f561363f0bae19ade6bf4c2703eb0_JaffaCakes118.exe
File created	C:\Program Files\7-Zip\7-zip.dll.exe	0a4f561363f0bae19ade6bf4c2703eb0_JaffaCakes118.exe
File created	C:\Program Files\7-Zip\Lang\ar.txt.exe	0a4f561363f0bae19ade6bf4c2703eb0_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\Lang\ba.txt	0a4f561363f0bae19ade6bf4c2703eb0_JaffaCakes118.exe
File created	C:\Program Files\7-Zip\Lang\bg.txt.exe	0a4f561363f0bae19ade6bf4c2703eb0_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\7-zip32.dll	0a4f561363f0bae19ade6bf4c2703eb0_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\7z.dll	0a4f561363f0bae19ade6bf4c2703eb0_JaffaCakes118.exe
File opened for modification	C:\Program Files\7-Zip\7z.sfx	0a4f561363f0bae19ade6bf4c2703eb0_JaffaCakes118.exe
File created	C:\Program Files\7-Zip\7zFM.exe.exe	0a4f561363f0bae19ade6bf4c2703eb0_JaffaCakes118.exe

Modifies Internet Explorer start page 1 TTPs 2 IoCs

stealer

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.wawimUIYKB.com"	0a4f561363f0bae19ade6bf4c2703eb0_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Internet Explorer\Main\Start Page = "https://www.aufDVTLOdE.com"	0a4f561363f0bae19ade6bf4c2703eb0_JaffaCakes118.exe

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d00f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	0a4f561363f0bae19ade6bf4c2703eb0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	0a4f561363f0bae19ade6bf4c2703eb0_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	0a4f561363f0bae19ade6bf4c2703eb0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	0a4f561363f0bae19ade6bf4c2703eb0_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030853000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c00b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	0a4f561363f0bae19ade6bf4c2703eb0_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	0a4f561363f0bae19ade6bf4c2703eb0_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	0a4f561363f0bae19ade6bf4c2703eb0_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b00000001000000180000004300b7004f00b7004d00b7004f00b7004400b7004f00000053000000010000002600000030243022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	0a4f561363f0bae19ade6bf4c2703eb0_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 2 IoCs

description	pid	Process
Token: SeLockMemoryPrivilege	1724	0a4f561363f0bae19ade6bf4c2703eb0_JaffaCakes118.exe
Token: SeLockMemoryPrivilege	1724	0a4f561363f0bae19ade6bf4c2703eb0_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\0a4f561363f0bae19ade6bf4c2703eb0_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\0a4f561363f0bae19ade6bf4c2703eb0_JaffaCakes118.exe"
1⤵
- Drops autorun.inf file
- Drops file in Program Files directory
- Modifies Internet Explorer start page
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:1724

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Replication Through Removable Media

T1091

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Lateral Movement

Replication Through Removable Media

T1091

Collection

Command and Control

Web Service

T1102

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\070E0202839D9D67350CD2613E78E416

Filesize
1KB

MD5
55540a230bdab55187a841cfe1aa1545

SHA1
363e4734f757bdeb89868efe94907774a327695e

SHA256
d73494e3446b02167573b3cde3ae1c8584ac26e15e45ac3ec0326708425d90fb

SHA512
c899cb1d31d3214fd9dc8626a55e40580d3b2224bf34310c2abd85d0f63e2dedaeae57832f048c2f500cb2cbf83683fcb14139af3f0b5251606076cdb4689c54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\070E0202839D9D67350CD2613E78E416

Filesize
230B

MD5
34363bdf3e9442a682ba9b87ef971e47

SHA1
7d3f73405550fc94feeae74a5f6af621ceb5ef1a

SHA256
3e67d3eb2b5825c2a6f004d33d905c1ca078b51f6a2d9694828f8d60fab9685d

SHA512
6161150b802aa2113685d0d537bac1db9b047442be4b8e9fee61739098d5def6ef23d7abfad73bfcfa9ebd12f7a6f7d5756368470f11d6e05e81ea5e8497d6e1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0be296d5f830ab5b83c90b72ac6793eb

SHA1
5a1386a37416a8d2c355ffe9a0bdbe8fb981bbb2

SHA256
eac715e5c499ac674781a3cca045e1ea9a5567bb6d1e02980079a45bae616e40

SHA512
26657cb527c58c06b09756c620112f696b58bbf97d792d0dba147a7408215b6632426db2080cb866ef45361cba3eaf96a2a0bd9b380742923f0dcba2fdacd9d0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
ce85348774fc7c7a06f29bffcbdbaf22

SHA1
0e637a744c06292fce3bb099967e8148da87b812

SHA256
2a6046d3f5926be38af6f9d4c4584c28eed6e803625ac27c766f1e614ad9b435

SHA512
486d16acf7498162506fec25dd0f7f7f5550fbf43b5e759b40c3780e6269ea4d533a55f514a2e48e226b34f38973a32a0636e6e4b9d1c2ee556d1a0646f6a40a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c9e81b44ddf8e40f0e6b430de64693f2

SHA1
565677d1030e2169e6796d3c7745dc869efa7c25

SHA256
a6ec3751bc1f77ed02e3e9766470529de2517b96a2f325d35ef1a24854655f01

SHA512
9c2b6e8c784b55e42216cd329d27fccae871f07e68cc653975864cb9c47c88d7706f5d9992a8d36fdc7a9ab184e984649c25e17017810364171ff847ee922232

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7e99a2d47eb8c069061494aad2caa906

SHA1
142e47f4bb71ad7c91ea81662a0fc965f679a256

SHA256
c438bf5ccccc2185e466bff1617236ed1284f1d83b71178bdeb9f923ddd579dd

SHA512
7a78cc3a88088f31bcab6ab189a0a9832e2ed518f380d67179c839be9ffec751a2bbfb3f8a37c44407bbf89e9c545e1a390f786d0f4326f3288b9e44934d762a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
e1e2eb737603f81f36197691f1c8a9b8

SHA1
bde90eb3c4fd1bf20c4e94c462c05f0143987b2a

SHA256
c6bbf749dfdad83f75ec92fd37a069624113b3d854a9468c2e32f4bc41b8afc3

SHA512
2fd095b8fe43af8de436e70d35b12f6e506c5bc628e68d417e2512453b9ad14793a391f25071de8b458a584663ace17eb31ec9257efbb6534709e477c182d5b9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
bf29240d0b05b6ab19414f91937e9b2d

SHA1
ab4611a8956c147fb550d083bd0e1dc62fe2a348

SHA256
3d36daba1ba100eea113153a1ddcec425c8dd602ce2ca875cafc4df2900c5f12

SHA512
30cc1e806dfb858fb177afccd74625f91c8b68ad8b15b6545f1fe53bff5e2e43e39627c515baeeb14bd65e548ae0a9ceae983a31c8cf76cd809ea5a5edb37e56

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab1AB5.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1AB7.tmp

Filesize
171KB

MD5
9c0c641c06238516f27941aa1166d427

SHA1
64cd549fb8cf014fcd9312aa7a5b023847b6c977

SHA256
4276af3669a141a59388bc56a87f6614d9a9bdddf560636c264219a7eb11256f

SHA512
936ed0c0b0a7ff8e606b1cc4175a1f9b3699748ccbba1c3aff96203033d2e9edabf090e5148370df42fbfc4e31d7229493706ff24f19ff42ff7bef74a6baad06

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar1B87.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
memory/1724-863-0x0000000000400000-0x00000000010B6000-memory.dmp

Filesize
12.7MB

Download
memory/1724-1054-0x00000000002D0000-0x00000000002D1000-memory.dmp

Filesize
4KB

Download
memory/1724-381-0x0000000000400000-0x00000000010B6000-memory.dmp

Filesize
12.7MB

Download
memory/1724-862-0x0000000000400000-0x00000000010B6000-memory.dmp

Filesize
12.7MB

Download
memory/1724-0-0x0000000000400000-0x00000000010B6000-memory.dmp

Filesize
12.7MB

Download
memory/1724-864-0x0000000000400000-0x00000000010B6000-memory.dmp

Filesize
12.7MB

Download
memory/1724-927-0x0000000000400000-0x00000000010B6000-memory.dmp

Filesize
12.7MB

Download
memory/1724-1052-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/1724-1053-0x00000000002C0000-0x00000000002C1000-memory.dmp

Filesize
4KB

Download
memory/1724-1-0x00000000002E0000-0x00000000002F0000-memory.dmp

Filesize
64KB

Download
memory/1724-1055-0x00000000002F0000-0x0000000000330000-memory.dmp

Filesize
256KB

Download
memory/1724-1056-0x0000000000330000-0x0000000000352000-memory.dmp

Filesize
136KB

Download
memory/1724-1057-0x0000000000360000-0x0000000000370000-memory.dmp

Filesize
64KB

Download
memory/1724-1058-0x0000000000370000-0x0000000000380000-memory.dmp

Filesize
64KB

Download
memory/1724-1059-0x0000000000380000-0x0000000000390000-memory.dmp

Filesize
64KB

Download
memory/1724-1060-0x00000000003B0000-0x00000000003F0000-memory.dmp

Filesize
256KB

Download
memory/1724-1061-0x00000000003F0000-0x0000000000400000-memory.dmp

Filesize
64KB

Download
memory/1724-1063-0x0000000004680000-0x0000000004681000-memory.dmp

Filesize
4KB

Download
memory/1724-1062-0x0000000000400000-0x00000000010B6000-memory.dmp

Filesize
12.7MB

Download
memory/1724-1064-0x0000000000400000-0x00000000010B6000-memory.dmp

Filesize
12.7MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads