gandcrab | 9f44eaf881e2e145794a360aca1cdd2e9ac2e020e59b1829ea8f92d4fd3eebd0

Analysis

max time kernel
147s
max time network
147s
platform
windows7_x64
resource
win7-20240419-en
resource tags

arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system
submitted
14/05/2024, 13:37

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe
Size

589KB
MD5

41b007b09b3da5bf2f1e6bf34d7ca6c1
SHA1

1c1b84e1cf1576f8d5c9622aad42def01c48a493
SHA256

9f44eaf881e2e145794a360aca1cdd2e9ac2e020e59b1829ea8f92d4fd3eebd0
SHA512

50347bc41495d893c1c71fdb0b36bb2a56d672d7af9c3ad0dcc8cfd334ead9c96c849863afaeb3d555924de61a79febc5a39e6ba2b965c4289b2c96ab2584ec3
SSDEEP

12288:MUiTFXMfffP5dgVHYPT4m90rrYQp48+0I6O4lNh7vaqFaFmSiyyjKF:MUihXy/YClF6O4HhBd8F

Score

10^/10

gandcrab backdoor defense_evasion execution impact ransomware spyware stealer

Malware Config

Extracted

Path

F:\$RECYCLE.BIN\S-1-5-21-481678230-3773327859-3495911762-1000\KRAB-DECRYPT.txt

Ransom Note

---= GANDCRAB V4 =--- Attention! All your files, documents, photos, databases and other important files are encrypted and have the extension: .KRAB The only method of recovering files is to purchase an unique private key. Only we can give you this key and only we can recover your files. The server with your key is in a closed network TOR. You can get there by the following ways: ---------------------------------------------------------------------------------------- | 0. Download Tor browser - https://www.torproject.org/ | 1. Install Tor browser | 2. Open Tor Browser | 3. Open link in TOR browser: http://gandcrabmfe6mnef.onion/2b8272202ce8c9a7 | 4. Follow the instructions on this page ---------------------------------------------------------------------------------------- On our page you will see instructions on payment and get the opportunity to decrypt 1 file for free. ATTENTION! IN ORDER TO PREVENT DATA DAMAGE: * DO NOT MODIFY ENCRYPTED FILES * DO NOT CHANGE DATA BELOW ---BEGIN GANDCRAB KEY--- lAQAAMVZYvVCG8az4Aor8UX5Ch6MuI41g5rYx8AgzACyScdQeHhLcD57nSkJJRlacu50oxKd0XeHxiJ8tmFYAyKhUZWyHgmzATM3n0yoX8drcc1e944WV3lhdwQd5PtKEzN5tz2pZabemTTdo3ULGxY46EYup38I71MvcFLzu3gFQol/f7moZmVfIbA8Z6cKJdERVDZ/P/mzWPlBwAgmgyvbOUPLimUgy0hqO2aC/ESZtipYBCJ3nSbeODgIjbrP6rxrvNjCIEWdS44YOXbwSvr0HFk/Dmd8LhV6ZPeIDFi3Wp8c4i+8Kt9CSdJFirq/ytOCx5nNCMuqEwaOPE1tMSdccWQd4vY+pmmILkxLWDVdCy89kdPvX+X+KjIgqr9KSLhswBMA5agms1fND+l1JI6rNae5kwfE4XdCwB0IhH5vuQ6AyDrCVe1gzcNmjhtNlq2nNBeOmljtsqakBbsxm8RmHfIu9nBDBVZAIbzWd6GW/CRAPxqcKo8G/iRz645DmCAnzZ5qia9ijXk9OekQ7k6D46KiBxW6OgnXVA2jvmif3ANXrjKPnfPPAJ8Q9lYdAWFBVn2xPrugeF6f9Iyd/BWi0v0gMcO6WTxFGDsKKfy37DG7COiFlshs/v31m6PTNp+VInlXKmFKCl2RMZ3g2CCLWWNL4ohsuJAJnfmcXweLQLt9VUr0llAYzS+PHGUpm/cOLM5PIXi8stqgp0Neq/2ozCv/fPOkC5h4RGcAcUVAWq7YT/Kt9OovjppucdkOuaHY9Nsf0nIxY0nIx/Wuc4eFoSNcnM4pRns8ISgcJEIkPRz+MoUxhKNrbhQbDDZxpUCUcPrg2ReeG5ggRCuqnFevaHYAH5O3r6W0uMdy6naN7cLylB+hThnKtuUOnd+bPZfkONhlKV1yYoyzw8B+4Cq8KUHZg2e86X40tEYOaQ/WWhTzh1+2KtXi90X/vnBXjy9DduMpLdpZiWbZzVq8nltpozFRY5gy5SiG63yc5lT33lbak2l1gz5OqAv7UbdHQobXb39ab2kDPgUsiN4PYNLKz+LCPrMWFcoEo0r8Eksgh2WCG5eNSI1DHCNTrXGt98dVe2xEelIoRlrMm8+XLeWp4XHeb3WfD4tu6Fp7qqU3Mpu03bx3LsSHECIwczXMjPR0TT5PQiCWyP+lv7yZVWHbJ6CMcumSZNvtQ0zik4a20Yn2Olokoc6Pd/uRQ+D3kv11zn+vZEhYuCk3ODxcu/Np3Qd3hHlfdWgsNu8xtm7erYDFtNp/0IABVPx1DKxaHTEa8JGljbbq4YokmyZf7It//ju5DVYypeuMYjXLKwDfEwP1psnA5pgqgz2mAersgW9bZH/zxhCX97Ik5SFBtFp21NzD/JOI4rsCOVEmndAK+9w1Wg5R3x7WIuiG/1yfar11K3sS4fIGuV0bsDV+qRFotbk3gj101bKDnveXHKbNsQQgp4MPu10Ccuatnd5QfA2vui2/jAW6vctpamSHZMbfdKY80mp87ZaeR8p+N7SjWb8+EEE5xi1J7x+3gN1zjSel31q0j0UQEs6nkZzguxLQqP1miiL464xHX4tdyGWuYJZfOQyXBkgOevXifoSndPeli5Wk/rzYdHF7a08zmo6amTJRAcuPunBAe62u+9yeNg2eNC7TwJ3dsSx/4HvQFkAqFgl/mwmwt0wqAkOWVYHPfmqrZo8V5sPzaLP5R68X9nVTp70NeVI578EBAY0ZlV9pJZc3hMQbxPt3AttjMqjYA2SbXQQ9p+haNSmudbDNb/fyZ5HCgr43x+p0aS16epRrDYgElbEYU2kd/s8w9YoN5mHaHYOFlnI9/66HTdG7P5CxFejQ9wPBGnzlQCD0WWXS+0j/LtknsfZfhDt4twARNOjqUfpIUpqaXqOUxMeNkScYoWKAU4qKlPCYl7aKVeBCQlAe4P5FySkDq1lSrJ5PyMmPXJUFzZC0QIfMfB/Z9VUr60371s4lCvN0qKR9c2Kt+dJcH9Uz1zaIto4spNsuJNkh40Vb0J1iQjXEJN9eyjGhmLXJNJKlpIJaxzHpxOMVVxq83zsIau/KXH2CFNy7mELX7Z9qZzkZwDp1dfRVAQV5wqxIxpGK0OaOMDRADLrrY4KFLP5WNDaxiEYqxkJoR8ZvM+cho6magO7/udQB5tvz2R+b1U2C4/FOOC6WnH5ol5irAKXka9tbPd7QtS0nD8wLkyA3ZcQq4ZEKOCeDRCQYBURyfuqq9WCAwYz9lfFnVCs4y/4= ---END GANDCRAB KEY--- ---BEGIN PC DATA--- wfKD6iudumBkmpL8IRr4U4exEVaoOXLtwDwmOrT1y1YWvOiWMx5GYaRdvZZCTp5RvHYR7mlWq7fYTGCHhh5qBJzzs9MC7736UkGSDDniUJJG8/LFF//kmGmoAZAGLo2j5/wd2UrxMJK+iqKhTkS3ArgAxrZOOOiXrbnhbWMkLHQnbYuWlMClYZxYU6SDxpopRo5r292AV1KIZBZV4APBuUHcKSIr2MWMI0O1MKIP2IpKLE2TS5wLmpQodXZhP6M/UPrO1sZzkDbgjYlAG3g8l65nVd0/CBUxKQ7KDJYrtX0vSmnFXg/ykfgtJNiwqfCnqbr85+Bi4bEgkUDB4uKj/2Q2E+smGtlYP1rWBi/t/hHfEYgbpicE4oG4b6a1Y8ZyGoyp2Q2iuJRzTRoqGlPQJIAJppFrwNIoDBPOnKw+A+5ZALufjGEwg7NrKg3qxA9Kxg73ZibpDRFN3vDLNeat1wYZLXRgRl+KCjmo1jngAX95mSffmizzQU1nmrIqlsew6HIMVY3pdDfwfAscdcBnP3FNhn9WQ3XC06ZCEvXtdUj8BYRMbJH2Hp8Oar+NRZwP9okRV/rusrPFzML9PHYHh9gzrewdRb9tHf+DbmDW4OIcXpReLdQp9FRha1KO2vpgy2mFLQkzlAtXfjb5QmECiQ== ---END PC DATA---

URLs

http://gandcrabmfe6mnef.onion/2b8272202ce8c9a7

Signatures

Gandcrab
Gandcrab is a Trojan horse that encrypts files on a computer.
ransomware backdoor gandcrab
Deletes shadow copies 3 TTPs
Ransomware often targets backup files to inhibit system recovery.
ransomware defense_evasion impact execution

File Deletion
T1070.004

Inhibit System Recovery
T1490

Windows Management Instrumentation
T1047
Renames multiple (275) files with added filename extension
This suggests ransomware activity of encrypting all the files on the system.
ransomware
Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

Enumerates connected drives 3 TTPs 23 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\T:	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe
File opened (read-only)	\??\N:	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe
File opened (read-only)	\??\S:	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe
File opened (read-only)	\??\V:	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe
File opened (read-only)	\??\Y:	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe
File opened (read-only)	\??\Z:	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe
File opened (read-only)	\??\I:	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe
File opened (read-only)	\??\J:	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe
File opened (read-only)	\??\M:	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe
File opened (read-only)	\??\R:	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe
File opened (read-only)	\??\U:	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe
File opened (read-only)	\??\W:	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe
File opened (read-only)	\??\A:	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe
File opened (read-only)	\??\G:	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe
File opened (read-only)	\??\O:	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe
File opened (read-only)	\??\K:	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe
File opened (read-only)	\??\L:	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe
File opened (read-only)	\??\P:	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe
File opened (read-only)	\??\Q:	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe
File opened (read-only)	\??\X:	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe
File opened (read-only)	\??\B:	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe
File opened (read-only)	\??\E:	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe
File opened (read-only)	\??\H:	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 2288 set thread context of 1292	2288	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe	30

Drops file in Program Files directory 40 IoCs

description	ioc	Process
File opened for modification	C:\Program Files\RepairExport.hta	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe
File opened for modification	C:\Program Files\UpdateFind.ps1	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe
File created	C:\Program Files\KRAB-DECRYPT.txt	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe
File opened for modification	C:\Program Files\DebugPing.csv	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe
File opened for modification	C:\Program Files\EnableInvoke.ppt	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe
File opened for modification	C:\Program Files\GetConvert.mpg	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe
File opened for modification	C:\Program Files\LockPush.bin	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe
File opened for modification	C:\Program Files\CompareResume.AAC	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe
File opened for modification	C:\Program Files\ReadSelect.001	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe
File opened for modification	C:\Program Files\RestoreUnpublish.xls	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe
File opened for modification	C:\Program Files\SuspendResume.mht	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\2ce8ce4a2ce8c9a456.lock	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe
File opened for modification	C:\Program Files\MoveSet.potm	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe
File opened for modification	C:\Program Files\SearchAdd.M2V	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe
File created	C:\Program Files\2ce8ce4a2ce8c9a456.lock	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe
File opened for modification	C:\Program Files\ConfirmInitialize.vsd	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe
File opened for modification	C:\Program Files\CopySend.ex_	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe
File opened for modification	C:\Program Files\ShowExit.bin	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe
File created	C:\Program Files (x86)\KRAB-DECRYPT.txt	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\KRAB-DECRYPT.txt	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe
File opened for modification	C:\Program Files\CompareConvertTo.rar	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe
File opened for modification	C:\Program Files\DisablePing.htm	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe
File opened for modification	C:\Program Files\ImportResolve.dwg	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe
File opened for modification	C:\Program Files\RequestInstall.m1v	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe
File opened for modification	C:\Program Files\RestoreAssert.mpp	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\2ce8ce4a2ce8c9a456.lock	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe
File opened for modification	C:\Program Files\InvokeInitialize.xhtml	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe
File opened for modification	C:\Program Files\MovePop.ram	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\2ce8ce4a2ce8c9a456.lock	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\Desktop\KRAB-DECRYPT.txt	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe
File opened for modification	C:\Program Files\CompressSave.xps	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe
File opened for modification	C:\Program Files\LockUnpublish.vstm	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe
File opened for modification	C:\Program Files\RestartMove.TTS	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe
File created	C:\Program Files (x86)\2ce8ce4a2ce8c9a456.lock	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe
File created	C:\Program Files (x86)\Microsoft SQL Server Compact Edition\v3.5\KRAB-DECRYPT.txt	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe
File opened for modification	C:\Program Files\FormatCheckpoint.crw	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe
File opened for modification	C:\Program Files\MergeStart.mpe	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe
File opened for modification	C:\Program Files\RedoJoin.mp4	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe
File opened for modification	C:\Program Files\RegisterExit.mpg	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe
File opened for modification	C:\Program Files\RepairEdit.nfo	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Checks processor information in registry 2 TTPs 3 IoCs

Processor information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key opened	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe

Modifies system certificate store 2 TTPs 11 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 040000000100000010000000410352dc0ff7501b16f0028eba6f45c50f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131900000001000000100000006cf252fec3e8f20996de5d4dd9aef42420000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6\Blob = 040000000100000010000000a923759bba49366e31c2dbf2e766ba870f000000010000001400000007eeabaf80a9ef4ae1b2cb9b4b5fc70d0428e6a953000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000002e00000053007400610072006600690065006c006400200054006500630068006e006f006c006f0067006900650073000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000a848b4242fc6ea24a0d78e3cb93c5c78d79833e41d00000001000000100000005959ddbc9c7632ba0a05f06316846fe6030000000100000014000000317a2ad07f2b335ef5a1c34e4b57e8b7d8f1fca619000000010000001000000044ba5fd9039fc9b56fd8aadccd597ca62000000001000000eb020000308202e730820250020101300d06092a864886f70d01010505003081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d301e170d3939303632363030313935345a170d3139303632363030313935345a3081bb312430220603550407131b56616c69436572742056616c69646174696f6e204e6574776f726b31173015060355040a130e56616c69436572742c20496e632e31353033060355040b132c56616c694365727420436c617373203220506f6c6963792056616c69646174696f6e20417574686f726974793121301f06035504031318687474703a2f2f7777772e76616c69636572742e636f6d2f3120301e06092a864886f70d0109011611696e666f4076616c69636572742e636f6d30819f300d06092a864886f70d010101050003818d0030818902818100ce3a71cae5abc8599255d7abd8740ef9eed9f655475965470e0555dceb98363c5c535dd330cf38ecbd4189ed254209246b0a5eb37cdd522d4ce6d4d67d5a59a965d449132d244d1c506fb5c185543bfe71e4d35c42f980e0911a0a5b393667f33f557c1b3fb45f647334e3b412bf8764f8da12ff3727c1b343bbef7b6e2e69f70203010001300d06092a864886f70d0101050500038181003b7f506f6f509499496238381f4bf8a5c83ea78281f62bc7e8c5cee83a1082cb18008e4dbda8587fa17900b5bbe98daf41d90f34ee218119a0324928f4c48e56d55233fd50d57e996c03e4c94cfccb6cab66b34a218ce5b50c323e10b2cc6ca1dc9a984c025bf3ceb99ea5720e4ab73f3ce61668f8beed744cbc5bd5621f43dd	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 0f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6500b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f007200690074007900000053000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b06010505070303140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e71d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a2000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8\Blob = 0400000001000000100000000cd2f9e0da1773e9ed864da5e370e74e14000000010000001400000079b459e67bb6e5e40173800888c81a58f6e99b6e030000000100000014000000cabd2a79a1076a31f21d253635cb039d4329a5e80f00000001000000200000003f0411ede9c4477057d57e57883b1f205b20cdc0f3263129b1ee0269a2678f631900000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000006f0500003082056b30820353a0030201020211008210cfb0d240e3594463e0bb63828b00300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3135303630343131303433385a170d3335303630343131303433385a304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f7420583130820222300d06092a864886f70d01010105000382020f003082020a0282020100ade82473f41437f39b9e2b57281c87bedcb7df38908c6e3ce657a078f775c2a2fef56a6ef6004f28dbde68866c4493b6b163fd14126bbf1fd2ea319b217ed1333cba48f5dd79dfb3b8ff12f1219a4bc18a8671694a66666c8f7e3c70bfad292206f3e4c0e680aee24b8fb7997e94039fd347977c99482353e838ae4f0a6f832ed149578c8074b6da2fd0388d7b0370211b75f2303cfa8faeddda63abeb164fc28e114b7ecf0be8ffb5772ef4b27b4ae04c12250c708d0329a0e15324ec13d9ee19bf10b34a8c3f89a36151deac870794f46371ec2ee26f5b9881e1895c34796c76ef3b906279e6dba49a2f26c5d010e10eded9108e16fbb7f7a8f7c7e50207988f360895e7e237960d36759efb0e72b11d9bbc03f94905d881dd05b42ad641e9ac0176950a0fd8dfd5bd121f352f28176cd298c1a80964776e4737baceac595e689d7f72d689c50641293e593edd26f524c911a75aa34c401f46a199b5a73a516e863b9e7d72a712057859ed3e5178150b038f8dd02f05b23e7b4a1c4b730512fcc6eae050137c439374b3ca74e78e1f0108d030d45b7136b407bac130305c48b7823b98a67d608aa2a32982ccbabd83041ba2830341a1d605f11bc2b6f0a87c863b46a8482a88dc769a76bf1f6aa53d198feb38f364dec82b0d0a28fff7dbe21542d422d0275de179fe18e77088ad4ee6d98b3ac6dd27516effbc64f533434f0203010001a3423040300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff301d0603551d0e0416041479b459e67bb6e5e40173800888c81a58f6e99b6e300d06092a864886f70d01010b05000382020100551f58a9bcb2a850d00cb1d81a6920272908ac61755c8a6ef882e5692fd5f6564bb9b8731059d321977ee74c71fbb2d260ad39a80bea17215685f1500e59ebcee059e9bac915ef869d8f8480f6e4e99190dc179b621b45f06695d27c6fc2ea3bef1fcfcbd6ae27f1a9b0c8aefd7d7e9afa2204ebffd97fea912b22b1170e8ff28a345b58d8fc01c954b9b826cc8a8833894c2d843c82dfee965705ba2cbbf7c4b7c74e3b82be31c822737392d1c280a43939103323824c3c9f86b255981dbe29868c229b9ee26b3b573a82704ddc09c789cb0a074d6ce85d8ec9efceabc7bbb52b4e45d64ad026cce572ca086aa595e315a1f7a4edc92c5fa5fbffac28022ebed77bbbe3717b9016d3075e46537c3707428cd3c4969cd599b52ae0951a8048ae4c3907cecc47a452952bbab8fbadd233537de51d4d6dd5a1b1c7426fe64027355ca328b7078de78d3390e7239ffb509c796c46d5b415b3966e7e9b0c963ab8522d3fd65be1fb08c284fe24a8a389daac6ae1182ab1a843615bd31fdc3b8d76f22de88d75df17336c3d53fb7bcb415fffdca2d06138e196b8ac5d8b37d775d533c09911ae9d41c1727584be0241425f67244894d19b27be073fb9b84f817451e17ab7ed9d23e2bee0d52804133c31039edd7a6c8fc60718c67fde478e3f289e0406cfa5543477bdec899be91743df5bdb5ffe8e1e57a2cd409d7e6222dade1827	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 0f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d0b000000010000001e000000440053005400200052006f006f0074002000430041002000580033000000090000000100000016000000301406082b0601050507030406082b06010505070301140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc415608589101d00000001000000100000004558d512eecb27464920897de7b66053030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c1320000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\317A2AD07F2B335EF5A1C34E4B57E8B7D8F1FCA6	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\AD7E1C28B064EF8F6003402014C3D0E3370EB58A\Blob = 190000000100000010000000fd960962ac6938e0d4b0769aa1a64e26030000000100000014000000ad7e1c28b064ef8f6003402014c3d0e3370eb58a1d000000010000001000000090c4f4233b006b7bfaa6adcd8f577d77140000000100000014000000bf5fb7d1cedd1f86f45b55acdcd710c20ea988e709000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000004800000030463021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107170330123010060a2b0601040182373c0101030200c00b000000010000005400000053007400610072006600690065006c006400200043006c00610073007300200032002000430065007200740069006600690063006100740069006f006e00200041007500740068006f00720069007400790000000f00000001000000140000000f6aad4c3fe04619cdc8b2bd655aa1a26042e6502000000001000000130400003082040f308202f7a003020102020100300d06092a864886f70d01010505003068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479301e170d3034303632393137333931365a170d3334303632393137333931365a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f7269747930820120300d06092a864886f70d01010105000382010d00308201080282010100b732c8fee971a60485ad0c1164dfce4defc80318873fa1abfb3ca69ff0c3a1dad4d86e2b5390fb24a43e84f09ee85fece52744f528a63f7bdee02af0c8af532f9eca0501931e8f661c39a74dfa5ab673042566eb777fe759c64a99251454eb26c7f37f19d530708fafb0462affadeb29edd79faa0487a3d4f989a5345fdb43918236d9663cb1b8b982fd9c3a3e10c83bef0665667a9b19183dff71513c302e5fbe3d7773b25d066cc323569a2b8526921ca702b3e43f0daf087982b8363dea9cd335b3bc69caf5cc9de8fd648d1780336e5e4a5d99c91e87b49d1ac0d56e1335235edf9b5f3defd6f776c2ea3ebb780d1c42676b04d8f8d6da6f8bf244a001ab020103a381c53081c2301d0603551d0e04160414bf5fb7d1cedd1f86f45b55acdcd710c20ea988e73081920603551d2304818a3081878014bf5fb7d1cedd1f86f45b55acdcd710c20ea988e7a16ca46a3068310b300906035504061302555331253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e31323030060355040b1329537461726669656c6420436c61737320322043657274696669636174696f6e20417574686f72697479820100300c0603551d13040530030101ff300d06092a864886f70d01010505000382010100059d3f889dd1c91a55a1ac69f3f359da9b01871a4f57a9a179092adbf72fb21eccc75e6ad88387a197ef49353e7706415862bf8e58b80a673fecb3dd21661fc954fa72cc3d4c40d881af779e837abba2c7f534178ed91140f4fc2c2a4d157fa7625d2e25d3000b201a1d68f917b8f4bd8bed2859dd4d168b1783c8b265c72d7aa5aabc53866ddd57a4caf820410b68f0f4fb74be565d7a79f5f91d85e32d95bef5719043cc8d1f9a000a8729e95522580023eae31243295b4708dd8c416a6506a8e521aa41b4952195b97dd134ab13d6adbcdce23d39cdbd3e7570a1185903c922b48f9cd55e2ad7a5b6d40a6df8b74011469a1f790e62bf0f97ece02f1f1794	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\ROOT\Certificates\CABD2A79A1076A31F21D253635CB039D4329A5E8	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\DAC9024F54D8F6DF94935FB1732638CA6AD77C13\Blob = 1900000001000000100000006cf252fec3e8f20996de5d4dd9aef424030000000100000014000000dac9024f54d8f6df94935fb1732638ca6ad77c131d00000001000000100000004558d512eecb27464920897de7b66053140000000100000014000000c4a7b1a47b2c71fadbe14b9075ffc41560858910090000000100000016000000301406082b0601050507030406082b060105050703010b000000010000001e000000440053005400200052006f006f00740020004300410020005800330000000f00000001000000140000005bcaa1c2780f0bcb5a90770451d96f38963f012d20000000010000004e0300003082034a30820232a003020102021044afb080d6a327ba893039862ef8406b300d06092a864886f70d0101050500303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f74204341205833301e170d3030303933303231313231395a170d3231303933303134303131355a303f31243022060355040a131b4469676974616c205369676e617475726520547275737420436f2e311730150603550403130e44535420526f6f7420434120583330820122300d06092a864886f70d01010105000382010f003082010a0282010100dfafe99750088357b4cc6265f69082ecc7d32c6b30ca5becd9c37dc740c118148be0e83376492ae33f214993ac4e0eaf3e48cb65eefcd3210f65d22ad9328f8ce5f777b0127bb595c089a3a9baed732e7a0c063283a27e8a1430cd11a0e12a38b9790a31fd50bd8065dfb7516383c8e28861ea4b6181ec526bb9a2e24b1a289f48a39e0cda098e3e172e1edd20df5bc62a8aab2ebd70adc50b1a25907472c57b6aab34d63089ffe568137b540bc8d6aeec5a9c921e3d64b38cc6dfbfc94170ec1672d526ec38553943d0fcfd185c40f197ebd59a9b8d1dbada25b9c6d8dfc115023aabda6ef13e2ef55c089c3cd68369e4109b192ab62957e3e53d9b9ff0025d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414c4a7b1a47b2c71fadbe14b9075ffc41560858910300d06092a864886f70d01010505000382010100a31a2c9b17005ca91eee2866373abf83c73f4bc309a095205de3d95944d23e0d3ebd8a4ba0741fce10829c741a1d7e981addcb134bb32044e491e9ccfc7da5db6ae5fee6fde04eddb7003ab57049aff2e5eb02f1d1028b19cb943a5e48c4181e58195f1e025af00cf1b1ada9dc59868b6ee991f586cafab96633aa595bcee2a7167347cb2bcc99b03748cfe3564bf5cf0f0c723287c6f044bb53726d43f526489a5267b758abfe67767178db0da256141339243185a2a8025a3047e1dd5007bc02099000eb6463609b16bc88c912e6d27d918bf93d328d65b4e97cb15776eac5b62839bf15651cc8f677966a0a8d770bd8910b048e07db29b60aee9d82353510	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
1292	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe
1292	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 43 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1644	wmic.exe
Token: SeSecurityPrivilege	1644	wmic.exe
Token: SeTakeOwnershipPrivilege	1644	wmic.exe
Token: SeLoadDriverPrivilege	1644	wmic.exe
Token: SeSystemProfilePrivilege	1644	wmic.exe
Token: SeSystemtimePrivilege	1644	wmic.exe
Token: SeProfSingleProcessPrivilege	1644	wmic.exe
Token: SeIncBasePriorityPrivilege	1644	wmic.exe
Token: SeCreatePagefilePrivilege	1644	wmic.exe
Token: SeBackupPrivilege	1644	wmic.exe
Token: SeRestorePrivilege	1644	wmic.exe
Token: SeShutdownPrivilege	1644	wmic.exe
Token: SeDebugPrivilege	1644	wmic.exe
Token: SeSystemEnvironmentPrivilege	1644	wmic.exe
Token: SeRemoteShutdownPrivilege	1644	wmic.exe
Token: SeUndockPrivilege	1644	wmic.exe
Token: SeManageVolumePrivilege	1644	wmic.exe
Token: 33	1644	wmic.exe
Token: 34	1644	wmic.exe
Token: 35	1644	wmic.exe
Token: SeIncreaseQuotaPrivilege	1644	wmic.exe
Token: SeSecurityPrivilege	1644	wmic.exe
Token: SeTakeOwnershipPrivilege	1644	wmic.exe
Token: SeLoadDriverPrivilege	1644	wmic.exe
Token: SeSystemProfilePrivilege	1644	wmic.exe
Token: SeSystemtimePrivilege	1644	wmic.exe
Token: SeProfSingleProcessPrivilege	1644	wmic.exe
Token: SeIncBasePriorityPrivilege	1644	wmic.exe
Token: SeCreatePagefilePrivilege	1644	wmic.exe
Token: SeBackupPrivilege	1644	wmic.exe
Token: SeRestorePrivilege	1644	wmic.exe
Token: SeShutdownPrivilege	1644	wmic.exe
Token: SeDebugPrivilege	1644	wmic.exe
Token: SeSystemEnvironmentPrivilege	1644	wmic.exe
Token: SeRemoteShutdownPrivilege	1644	wmic.exe
Token: SeUndockPrivilege	1644	wmic.exe
Token: SeManageVolumePrivilege	1644	wmic.exe
Token: 33	1644	wmic.exe
Token: 34	1644	wmic.exe
Token: 35	1644	wmic.exe
Token: SeBackupPrivilege	2228	vssvc.exe
Token: SeRestorePrivilege	2228	vssvc.exe
Token: SeAuditPrivilege	2228	vssvc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2288	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe

Suspicious use of SendNotifyMessage 1 IoCs

pid	Process
2288	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe

Suspicious use of WriteProcessMemory 9 IoCs

description	pid	Process	procid_target
PID 2288 wrote to memory of 1292	2288	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe	30
PID 2288 wrote to memory of 1292	2288	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe	30
PID 2288 wrote to memory of 1292	2288	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe	30
PID 2288 wrote to memory of 1292	2288	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe	30
PID 2288 wrote to memory of 1292	2288	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe	30
PID 1292 wrote to memory of 1644	1292	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe	34
PID 1292 wrote to memory of 1644	1292	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe	34
PID 1292 wrote to memory of 1644	1292	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe	34
PID 1292 wrote to memory of 1644	1292	41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe	34

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
- Suspicious use of WriteProcessMemory
PID:2288
- C:\Users\Admin\AppData\Local\Temp\41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Temp\41b007b09b3da5bf2f1e6bf34d7ca6c1_JaffaCakes118.exe
  2⤵
  - Enumerates connected drives
  - Drops file in Program Files directory
  - Checks processor information in registry
  - Modifies system certificate store
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of WriteProcessMemory
  PID:1292
- - C:\Windows\SysWOW64\wbem\wmic.exe
    "C:\Windows\system32\wbem\wmic.exe" shadowcopy delete
    3⤵
    - Suspicious use of AdjustPrivilegeToken
    PID:1644

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
- Suspicious use of AdjustPrivilegeToken
PID:2228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Windows Management Instrumentation

T1047

Persistence

Privilege Escalation

Defense Evasion

Indicator Removal

T1070

File Deletion

T1070.004

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Inhibit System Recovery

T1490

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
1f38aab9e31308f41aba31198f9ecbbf

SHA1
827d421a5288ab0e7e918236083581bcf327072b

SHA256
c40b23ee765bde3ac3745730e44a1228a78394ac76b63f2492873005e250e400

SHA512
2bb5740f95e827996de3bfd32b0ad089f23294ad4a45500948e3394e595dd1436638aa4ce92354936ead130a20166adc357ed4f68042bb254f3a8d0d5e8e5607

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0790d30ccdb0c14f2704b448a6849fe5

SHA1
3a0f169dc1cc3163876e30489a0d66b3be930157

SHA256
aa5e1106f15375173cff481dba0c3bc22c90cb075b7d941832cad57dc594b11b

SHA512
5c7e41661adb07dcab4c2fd826d546e16b3bf705e4de76f42b42ba86ac8565d487f1b4bcb8ce7b5dc1f0be9b731eb1d8e5533d22df5ceead277c38d5f9750de5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
c14178eb1bcc9a349177808f29981a89

SHA1
1fd61b57892ca2a97c0aa4275701ac90b3148454

SHA256
1818f6ea1b28ca9e0ad079c2b6a0e21776170ab7f94b5316da84281bf538e803

SHA512
b80d1ec20a6fb01ddb11c500e4d325c63cc6a34b8163e37747778e2a565904444e812e0853be006fc2f796ea3b2aadfb22bfb53757b63211d7f76e078c370c12

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab254.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2A5.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
F:\$RECYCLE.BIN\S-1-5-21-481678230-3773327859-3495911762-1000\KRAB-DECRYPT.txt

Filesize
8KB

MD5
4f3ad000e5041a07445e56d15bdbee58

SHA1
73086d2e724ae05fad14e204fde9139e22572c54

SHA256
79420949a7d3fdb2fe4bc590405edfecb2e26520fef8d986748d4f3145c6e8bb

SHA512
eb08b3cf004c55b2798c041d2d17537fa98f28968567190763d3ae530ae73c3177e938844e5309233a42ab53f7a7bca52d5c3e3a86bc38051acf87c1e46b1f91

Download Submit
memory/1292-984-0x0000000000400000-0x0000000000424000-memory.dmp

Filesize
144KB

Download
memory/2288-0-0x00000000003E0000-0x00000000003F0000-memory.dmp

Filesize
64KB

Download
memory/2288-1-0x00000000004E0000-0x00000000004E1000-memory.dmp

Filesize
4KB

Download
memory/2288-2-0x00000000003E0000-0x00000000003F0000-memory.dmp

Filesize
64KB

Download