6d1f5160fd581f155155e63457bd652c47627f607215a6c82c0cd218c3aed51c

General

Target

64bd2f10d23546457727fa5236217d06_JaffaCakes118.exe
Size

1.8MB
MD5

64bd2f10d23546457727fa5236217d06
SHA1

195f99d4f318b311c38dd2bedadd427361f552aa
SHA256

6d1f5160fd581f155155e63457bd652c47627f607215a6c82c0cd218c3aed51c
SHA512

3d7ac632f3f856a2d80f9c8ef12a7a364c6a98df3d569d40a5df6f0b15251ff1fa1541b4b516d818e4faf699b5e9eec9b9165e85f14cfd7603c1a1a90c84353f
SSDEEP

24576:lWxhHS/BqXw8fAn4ouMfKDmrSuc8hbq04HotXXjUtPkF1WjMxyspg8P:HWTI0AnrSeS0j1NxyTo

Score

6^/10

evasion persistence trojan

Malware Config

Signatures

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

64bd2f10d23546457727fa5236217d06_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3691908287-3775019229-3534252667-1000\Software\Microsoft\Windows\CurrentVersion\Run\LookThisUp = "\"C:\\Users\\Admin\\AppData\\Roaming\\LookThisUp\\64bd2f10d23546457727fa5236217d06_JaffaCakes118.exe\""	64bd2f10d23546457727fa5236217d06_JaffaCakes118.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

64bd2f10d23546457727fa5236217d06_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA	64bd2f10d23546457727fa5236217d06_JaffaCakes118.exe

Modifies system certificate store 2 TTPs 4 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

64bd2f10d23546457727fa5236217d06_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5D003860F002ED829DEAA41868F788186D62127F	64bd2f10d23546457727fa5236217d06_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5D003860F002ED829DEAA41868F788186D62127F\Blob = 0f0000000100000014000000ef4b92510cf5214f96c19fe5dac82fe416b1167b090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b0601050508020253000000010000004800000030463021060b6086480186fd6e0107180230123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107180230123010060a2b0601040182373c0101030200c00b000000010000003800000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300200049006e0063002e000000140000000100000014000000b4c67f1a43cc9b755d2fc44bf28b9810e9f151101d0000000100000010000000b260d734a0ca2356e0899d1f624cb0c30300000001000000140000005d003860f002ed829deaa41868f788186d62127f2000000001000000820400003082047e30820366a003020102020100300d06092a864886f70d01010505003081cf310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e313a3038060355040b1331687474703a2f2f6365727469666963617465732e737461726669656c64746563682e636f6d2f7265706f7369746f72792f313630340603550403132d537461726669656c6420536572766963657320526f6f7420436572746966696361746520417574686f72697479301e170d3038303630323030303030305a170d3239313233313233353935395a3081cf310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e313a3038060355040b1331687474703a2f2f6365727469666963617465732e737461726669656c64746563682e636f6d2f7265706f7369746f72792f313630340603550403132d537461726669656c6420536572766963657320526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100f2cc562a4de616375a97ea6d3538d1109bdbb8dca9040995332e09c5007b1a78428fc8f4058efed268831e4e99cd17db473e50f389d2e7dc98fb05f8aad663f4544dc17103b01f1b76b31a343073f128326083fdb49cd7b6d222377c19aa3bde1310696e5c06d36fa3f2665a764248af80d154593dd4b9d4dbedb9ab3999f4ee62abe178727bd8388d40b6ccdc120070438569d818e3ca57729fb4df3ffc22a84252f5775b99f0562d2670163612c2279e57a67cd023f179dca3935828383d9fad3643ee37fbf8f943adc856f294125e42eb73b8130dcba6d586b9aa286a5403a13f0f29eb0900e83f5ea27f173da12bf8bed0751da484e3ab1765065200afb10203010001a3633061300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414b4c67f1a43cc9b755d2fc44bf28b9810e9f15110301f0603551d23041830168014b4c67f1a43cc9b755d2fc44bf28b9810e9f15110300d06092a864886f70d01010505000382010100ac80bbc425050b58a4e47e297eafbc3bec2dc0442ef991e0d23b3227902df680095cc2ab6524da381046c449d2fd9aab28487788c6e96fd14791d5354f1409a85b40071d7c7156cb8942d4bf61c022f72edfabf372438b40e894ebb026dad113d3abd0362d2e3a95b3772e1539180c69baaa80edf1534e339b6804e2a0302ed7d15dd4a6669d84e6e7bb3c89bb369dfc17a93d552b8afb9bc44c84ffdfd2be691b74b0a8f6eab09cb22974814c683a9a7f732539f513e0669169d4574bb7eead45e02cc388d3be9449891fff70d55b6d3913b01dcb98e667630d63f6fbc3d7617283883f707e53c99e8954d64f7f7d71b9aef1608b7760ecf8bffa6aa39c0122	64bd2f10d23546457727fa5236217d06_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5D003860F002ED829DEAA41868F788186D62127F\Blob = 190000000100000010000000bcc89a8d6bbded735c4bb4c5cdbb4c3c0300000001000000140000005d003860f002ed829deaa41868f788186d62127f1d0000000100000010000000b260d734a0ca2356e0899d1f624cb0c3140000000100000014000000b4c67f1a43cc9b755d2fc44bf28b9810e9f151100b000000010000003800000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300200049006e0063002e00000053000000010000004800000030463021060b6086480186fd6e0107180230123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107180230123010060a2b0601040182373c0101030200c0090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b060105050802020f0000000100000014000000ef4b92510cf5214f96c19fe5dac82fe416b1167b2000000001000000820400003082047e30820366a003020102020100300d06092a864886f70d01010505003081cf310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e313a3038060355040b1331687474703a2f2f6365727469666963617465732e737461726669656c64746563682e636f6d2f7265706f7369746f72792f313630340603550403132d537461726669656c6420536572766963657320526f6f7420436572746966696361746520417574686f72697479301e170d3038303630323030303030305a170d3239313233313233353935395a3081cf310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e313a3038060355040b1331687474703a2f2f6365727469666963617465732e737461726669656c64746563682e636f6d2f7265706f7369746f72792f313630340603550403132d537461726669656c6420536572766963657320526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100f2cc562a4de616375a97ea6d3538d1109bdbb8dca9040995332e09c5007b1a78428fc8f4058efed268831e4e99cd17db473e50f389d2e7dc98fb05f8aad663f4544dc17103b01f1b76b31a343073f128326083fdb49cd7b6d222377c19aa3bde1310696e5c06d36fa3f2665a764248af80d154593dd4b9d4dbedb9ab3999f4ee62abe178727bd8388d40b6ccdc120070438569d818e3ca57729fb4df3ffc22a84252f5775b99f0562d2670163612c2279e57a67cd023f179dca3935828383d9fad3643ee37fbf8f943adc856f294125e42eb73b8130dcba6d586b9aa286a5403a13f0f29eb0900e83f5ea27f173da12bf8bed0751da484e3ab1765065200afb10203010001a3633061300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414b4c67f1a43cc9b755d2fc44bf28b9810e9f15110301f0603551d23041830168014b4c67f1a43cc9b755d2fc44bf28b9810e9f15110300d06092a864886f70d01010505000382010100ac80bbc425050b58a4e47e297eafbc3bec2dc0442ef991e0d23b3227902df680095cc2ab6524da381046c449d2fd9aab28487788c6e96fd14791d5354f1409a85b40071d7c7156cb8942d4bf61c022f72edfabf372438b40e894ebb026dad113d3abd0362d2e3a95b3772e1539180c69baaa80edf1534e339b6804e2a0302ed7d15dd4a6669d84e6e7bb3c89bb369dfc17a93d552b8afb9bc44c84ffdfd2be691b74b0a8f6eab09cb22974814c683a9a7f732539f513e0669169d4574bb7eead45e02cc388d3be9449891fff70d55b6d3913b01dcb98e667630d63f6fbc3d7617283883f707e53c99e8954d64f7f7d71b9aef1608b7760ecf8bffa6aa39c0122	64bd2f10d23546457727fa5236217d06_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\5D003860F002ED829DEAA41868F788186D62127F\Blob = 040000000100000010000000cf8f3b62a3caca711ba3e1cb4857351f0f0000000100000014000000ef4b92510cf5214f96c19fe5dac82fe416b1167b090000000100000068000000306606082b0601050507030106082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030806082b06010505070309060a2b0601040182370a030406082b0601050507030606082b0601050507030706082b0601050508020253000000010000004800000030463021060b6086480186fd6e0107180230123010060a2b0601040182373c0101030200c03021060b6086480186fd6e0107180230123010060a2b0601040182373c0101030200c00b000000010000003800000053007400610072006600690065006c006400200054006500630068006e006f006c006f006700690065007300200049006e0063002e000000140000000100000014000000b4c67f1a43cc9b755d2fc44bf28b9810e9f151101d0000000100000010000000b260d734a0ca2356e0899d1f624cb0c30300000001000000140000005d003860f002ed829deaa41868f788186d62127f190000000100000010000000bcc89a8d6bbded735c4bb4c5cdbb4c3c2000000001000000820400003082047e30820366a003020102020100300d06092a864886f70d01010505003081cf310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e313a3038060355040b1331687474703a2f2f6365727469666963617465732e737461726669656c64746563682e636f6d2f7265706f7369746f72792f313630340603550403132d537461726669656c6420536572766963657320526f6f7420436572746966696361746520417574686f72697479301e170d3038303630323030303030305a170d3239313233313233353935395a3081cf310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c6531253023060355040a131c537461726669656c6420546563686e6f6c6f676965732c20496e632e313a3038060355040b1331687474703a2f2f6365727469666963617465732e737461726669656c64746563682e636f6d2f7265706f7369746f72792f313630340603550403132d537461726669656c6420536572766963657320526f6f7420436572746966696361746520417574686f7269747930820122300d06092a864886f70d01010105000382010f003082010a0282010100f2cc562a4de616375a97ea6d3538d1109bdbb8dca9040995332e09c5007b1a78428fc8f4058efed268831e4e99cd17db473e50f389d2e7dc98fb05f8aad663f4544dc17103b01f1b76b31a343073f128326083fdb49cd7b6d222377c19aa3bde1310696e5c06d36fa3f2665a764248af80d154593dd4b9d4dbedb9ab3999f4ee62abe178727bd8388d40b6ccdc120070438569d818e3ca57729fb4df3ffc22a84252f5775b99f0562d2670163612c2279e57a67cd023f179dca3935828383d9fad3643ee37fbf8f943adc856f294125e42eb73b8130dcba6d586b9aa286a5403a13f0f29eb0900e83f5ea27f173da12bf8bed0751da484e3ab1765065200afb10203010001a3633061300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e04160414b4c67f1a43cc9b755d2fc44bf28b9810e9f15110301f0603551d23041830168014b4c67f1a43cc9b755d2fc44bf28b9810e9f15110300d06092a864886f70d01010505000382010100ac80bbc425050b58a4e47e297eafbc3bec2dc0442ef991e0d23b3227902df680095cc2ab6524da381046c449d2fd9aab28487788c6e96fd14791d5354f1409a85b40071d7c7156cb8942d4bf61c022f72edfabf372438b40e894ebb026dad113d3abd0362d2e3a95b3772e1539180c69baaa80edf1534e339b6804e2a0302ed7d15dd4a6669d84e6e7bb3c89bb369dfc17a93d552b8afb9bc44c84ffdfd2be691b74b0a8f6eab09cb22974814c683a9a7f732539f513e0669169d4574bb7eead45e02cc388d3be9449891fff70d55b6d3913b01dcb98e667630d63f6fbc3d7617283883f707e53c99e8954d64f7f7d71b9aef1608b7760ecf8bffa6aa39c0122	64bd2f10d23546457727fa5236217d06_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 5 IoCs

Processes:

64bd2f10d23546457727fa5236217d06_JaffaCakes118.exe

description	pid	process
Token: SeDebugPrivilege	2024	64bd2f10d23546457727fa5236217d06_JaffaCakes118.exe
Token: 33	2024	64bd2f10d23546457727fa5236217d06_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2024	64bd2f10d23546457727fa5236217d06_JaffaCakes118.exe
Token: 33	2024	64bd2f10d23546457727fa5236217d06_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2024	64bd2f10d23546457727fa5236217d06_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\64bd2f10d23546457727fa5236217d06_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\64bd2f10d23546457727fa5236217d06_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Checks whether UAC is enabled
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:2024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

1

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Defense Evasion

Modify Registry

2

T1112

Subvert Trust Controls

1

T1553

Install Root Certificate

1

T1553.004

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
76b8adda1f83a2f5541d0c6fb4bed3c0

SHA1
9d2ee78bd9b76adf551eeba66107f84f419b62f3

SHA256
d89839d90a3be03d1171b1789c4b6f0a7d572f1eb5539bd1d2016fd94505c557

SHA512
b79c51a720bf853a90b2151b218d9306ddf2b1c7fab1fbbfbe91f12c0dd129c519df11ac8aee212e619a3cb4ff3db2544cae5ea83d1d5668a8f126d290fa5639

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab3304.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar3326.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
memory/2024-117-0x000007FEF5700000-0x000007FEF609D000-memory.dmp

Filesize
9.6MB

Download
memory/2024-8-0x000007FEF5700000-0x000007FEF609D000-memory.dmp

Filesize
9.6MB

Download
memory/2024-116-0x000000001B310000-0x000000001B3BA000-memory.dmp

Filesize
680KB

Download
memory/2024-0-0x000007FEF59BE000-0x000007FEF59BF000-memory.dmp

Filesize
4KB

Download
memory/2024-118-0x000007FEF5700000-0x000007FEF609D000-memory.dmp

Filesize
9.6MB

Download
memory/2024-119-0x000007FEF5700000-0x000007FEF609D000-memory.dmp

Filesize
9.6MB

Download
memory/2024-120-0x000007FEF5700000-0x000007FEF609D000-memory.dmp

Filesize
9.6MB

Download
memory/2024-121-0x000007FEF5700000-0x000007FEF609D000-memory.dmp

Filesize
9.6MB

Download
memory/2024-122-0x000007FEF59BE000-0x000007FEF59BF000-memory.dmp

Filesize
4KB

Download
memory/2024-123-0x000007FEF5700000-0x000007FEF609D000-memory.dmp

Filesize
9.6MB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads