sodinokibi | c86d0f1e2ba023322a6d580286a0eae480a3bdd3012c444207907ef0c16eca64

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240426-en
resource tags

arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system
submitted
22-05-2024 11:42

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6723ff71492b60139a98a6497a87cf3b_JaffaCakes118.exe
Size

115KB
MD5

6723ff71492b60139a98a6497a87cf3b
SHA1

c79e132a14983ee2faf3224e71d30d7e8b922d51
SHA256

c86d0f1e2ba023322a6d580286a0eae480a3bdd3012c444207907ef0c16eca64
SHA512

16f719522a25996ede291c22d4a196495f516df02cfe1b9dd3d08b7400f23063f06514e20f173dbcd7131d789db9be8bd215d4bde6340e3a8ac391b888070057
SSDEEP

1536:AkdeUcaK8Qz4PQIUnq5WMrAmyopACC9ICS4A0vh4NKIVUDw003R32Jys/XNu0z+T:mlnXEXyk7yvh4NKAWg3AJyEu2

Score

10^/10

sodinokibi persistence ransomware

Malware Config

Extracted

Path

C:\Users\mx813nrt2-readme.txt

Family

sodinokibi

Ransom Note

---=== Welcome. Again. ===--- [+] Whats Happen? [+] Your files are encrypted, and currently unavailable. You can check it: all files on you computer has expansion mx813nrt2. By the way, everything is possible to recover (restore), but you need to follow our instructions. Otherwise, you cant return your data (NEVER). [+] What guarantees? [+] Its just a business. We absolutely do not care about you and your deals, except getting benefits. If we do not do our work and liabilities - nobody will not cooperate with us. Its not in our interests. To check the ability of returning files, You should go to our website. There you can decrypt one file for free. That is our guarantee. If you will not cooperate with our service - for us, its does not matter. But you will lose your time and data, cause just we have the private key. In practise - time is much more valuable than money. [+] How to get access on website? [+] You have two ways: 1) [Recommended] Using a TOR browser! a) Download and install TOR browser from this site: https://torproject.org/ b) Open our website: http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/BBB456361FD4EE79 2) If TOR blocked in your country, try to use VPN! But you can use our secondary website. For this: a) Open your any browser (Chrome, Firefox, Opera, IE, Edge) b) Open our secondary website: http://decryptor.cc/BBB456361FD4EE79 Warning: secondary website can be blocked, thats why first variant much better and more available. When you open our website, put the following data in the input form: Key: +gthiD2xbC/wQvlyFevpGux9rf+d7C8QcmeAqZFctEkiAk8v9pFHc1ov0qD3a79S fABxb1k0xXGiZ3XVoqPdv3aYSGUSSVaA70OZE6fkN9Cv6DAV2JO3vDagePRM1dC2 R6g55yHjgeBUV3UaNHEZ6ud9Sp+3z/2URop9yqN+Z4x+jXUdQkotxyCquHUkr3+Q N8ORfXLrhhYln1ojhI1e0hkJ3Qmfw+vdUOMUyeFI+vH6eXsuRv+DsaalYaGxlCLq h43RuArsFVzjJsztKxxNiHIGdX+jnW1AUmGHdVvNbh5t+IpEx5CgzfDtmOApfBaE LhUsBe7wyej5Oy7D5T363uus7WhRP2yGumyqm9H51IvV2Bi1v+zVDGfz8G+1uptt v4EMWCsrnbDUuixFRRJLGvQ26Lqoet1pDxs1J3FhIyh0/Orx/rOVLmKYGotYdCB0 PwSwPfMgTeGCWI52aX0X+Wj/Q/VP4//k/nzDVNPWASOZ2qaMetOGCejIExgn/1hc prTm7EMAjlntwkSlOUSbJgsEy+bpA3+SJC4FXvcBlPLhDjTLZTfVtzc84SB8Obis 5JMyNk9eFaaydiv6Ba9AshkSebBRVMmAsl1lYrWU/bTOB4bgf+RPFDWu8uVnbeTM BHS68YRs/01eiWAbpHsZYGK1X0+OadKjhaG8jvYKWf/EIGZaynYxiC5fYbIkOz77 ybnR3heh7OYiYXaDOI+FOUBH/WKVoyI5rpl5HWjnQv3dQyW0RFsfMZlIR41nJ8kD wFG/lMcB1cs9m/Pck2y1sMYIGj4qTgU1q7daYvZJ8LXEgAHAl0cYP2uw+s82Omp2 mSmHrrdlrQGisxSsbJMSC+A0t2ZUO/5boDaSrHnhzuE/4U/Wwdwfeiv4t77Lrfr8 6hpQVAwSN/fdOAwtKcsrb9gRrOfBN+w6BH+asfPdRl8sc8HBq8/ccCGyO+XyIHhw SjM1iFK7NHh7qo0N0u44Mv7EGQtMK3bbC3A041uugt+FtDRtJzu/KHDtpMP1eINZ DuTphfqlrGMaoKAYE0kEOlc2GXKBv4yY2olGAD/GUVCLug4ZYzgDFeIfeAa1ycSZ nuNTGqGpHaCLD4SZ8Qz+Y9gI6y38KG5ELjsdlm/2A5Up2YVX5TIRk4q8pLSgb9lI LhkeTnp6txG0bCuDHtL0GzmXjOm/8CB0T95Wd2x96fUZV47sY4ItKfxsGkPzChBt SGgaFCg69IKX6+ajOUZzgbbEemAQF9uPAr7WNXCr5JtaxUjdSG8KU4e28m4OJ/Kp kBq/o5QTznoHKEdHg+qgwFQECVarLYu126cn5OnUR3TghEso4ne3r91UB5688hB6 fNy8gUdYcU9Ev2yCPHwufXJ78o2caE0abH/BnllR0SblYhBeMhKWj3iuH9Q= Extension name: mx813nrt2 ----------------------------------------------------------------------------------------- !!! DANGER !!! DONT try to change files by yourself, DONT use any third party software for restoring your data or antivirus solutions - its may entail damge of the private key and, as result, The Loss all data. !!! !!! !!! ONE MORE TIME: Its in your interests to get your files back. From our side, we (the best specialists) make everything for restoring, but please should not interfere. !!! !!! !!!

URLs

http://aplebzu47wgazapdqks6vrcv6zcnjppkbxbr6wketf56nf6aq2nmyoyd.onion/BBB456361FD4EE79

http://decryptor.cc/BBB456361FD4EE79

Signatures

Sodin,Sodinokibi,REvil
Ransomware with advanced anti-analysis and privilege escalation functionality.
ransomware sodinokibi

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\7THSMUAouJ = "C:\\Users\\Admin\\AppData\\Local\\Temp\\6723ff71492b60139a98a6497a87cf3b_JaffaCakes118.exe"	6723ff71492b60139a98a6497a87cf3b_JaffaCakes118.exe

Enumerates connected drives 3 TTPs 25 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

description	ioc	Process
File opened (read-only)	\??\Q:	6723ff71492b60139a98a6497a87cf3b_JaffaCakes118.exe
File opened (read-only)	\??\R:	6723ff71492b60139a98a6497a87cf3b_JaffaCakes118.exe
File opened (read-only)	\??\V:	6723ff71492b60139a98a6497a87cf3b_JaffaCakes118.exe
File opened (read-only)	\??\E:	6723ff71492b60139a98a6497a87cf3b_JaffaCakes118.exe
File opened (read-only)	\??\U:	6723ff71492b60139a98a6497a87cf3b_JaffaCakes118.exe
File opened (read-only)	\??\Z:	6723ff71492b60139a98a6497a87cf3b_JaffaCakes118.exe
File opened (read-only)	\??\J:	6723ff71492b60139a98a6497a87cf3b_JaffaCakes118.exe
File opened (read-only)	\??\N:	6723ff71492b60139a98a6497a87cf3b_JaffaCakes118.exe
File opened (read-only)	\??\T:	6723ff71492b60139a98a6497a87cf3b_JaffaCakes118.exe
File opened (read-only)	\??\B:	6723ff71492b60139a98a6497a87cf3b_JaffaCakes118.exe
File opened (read-only)	\??\X:	6723ff71492b60139a98a6497a87cf3b_JaffaCakes118.exe
File opened (read-only)	\??\H:	6723ff71492b60139a98a6497a87cf3b_JaffaCakes118.exe
File opened (read-only)	\??\I:	6723ff71492b60139a98a6497a87cf3b_JaffaCakes118.exe
File opened (read-only)	\??\K:	6723ff71492b60139a98a6497a87cf3b_JaffaCakes118.exe
File opened (read-only)	\??\M:	6723ff71492b60139a98a6497a87cf3b_JaffaCakes118.exe
File opened (read-only)	\??\P:	6723ff71492b60139a98a6497a87cf3b_JaffaCakes118.exe
File opened (read-only)	\??\L:	6723ff71492b60139a98a6497a87cf3b_JaffaCakes118.exe
File opened (read-only)	\??\O:	6723ff71492b60139a98a6497a87cf3b_JaffaCakes118.exe
File opened (read-only)	\??\D:	6723ff71492b60139a98a6497a87cf3b_JaffaCakes118.exe
File opened (read-only)	\??\A:	6723ff71492b60139a98a6497a87cf3b_JaffaCakes118.exe
File opened (read-only)	\??\G:	6723ff71492b60139a98a6497a87cf3b_JaffaCakes118.exe
File opened (read-only)	\??\S:	6723ff71492b60139a98a6497a87cf3b_JaffaCakes118.exe
File opened (read-only)	\??\W:	6723ff71492b60139a98a6497a87cf3b_JaffaCakes118.exe
File opened (read-only)	\??\Y:	6723ff71492b60139a98a6497a87cf3b_JaffaCakes118.exe
File opened (read-only)	\??\F:	6723ff71492b60139a98a6497a87cf3b_JaffaCakes118.exe

Sets desktop wallpaper using registry 2 TTPs 1 IoCs

ransomware

Defacement

T1491

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\Control Panel\Desktop\Wallpaper = "C:\\Users\\Admin\\AppData\\Local\\Temp\\n18u.bmp"	6723ff71492b60139a98a6497a87cf3b_JaffaCakes118.exe

Drops file in Program Files directory 33 IoCs

description	ioc	Process
File opened for modification	\??\c:\program files\JoinUninstall.ppsm	6723ff71492b60139a98a6497a87cf3b_JaffaCakes118.exe
File created	\??\c:\program files (x86)\mx813nrt2-readme.txt	6723ff71492b60139a98a6497a87cf3b_JaffaCakes118.exe
File opened for modification	\??\c:\program files\HideConvertFrom.html	6723ff71492b60139a98a6497a87cf3b_JaffaCakes118.exe
File opened for modification	\??\c:\program files\InvokeConvertTo.MTS	6723ff71492b60139a98a6497a87cf3b_JaffaCakes118.exe
File opened for modification	\??\c:\program files\RemoveCompare.3gpp	6723ff71492b60139a98a6497a87cf3b_JaffaCakes118.exe
File opened for modification	\??\c:\program files\StopMeasure.vdx	6723ff71492b60139a98a6497a87cf3b_JaffaCakes118.exe
File created	\??\c:\program files\mx813nrt2-readme.txt	6723ff71492b60139a98a6497a87cf3b_JaffaCakes118.exe
File opened for modification	\??\c:\program files\CompressInstall.jpeg	6723ff71492b60139a98a6497a87cf3b_JaffaCakes118.exe
File opened for modification	\??\c:\program files\DebugSend.TS	6723ff71492b60139a98a6497a87cf3b_JaffaCakes118.exe
File opened for modification	\??\c:\program files\RenameSubmit.xsl	6723ff71492b60139a98a6497a87cf3b_JaffaCakes118.exe
File opened for modification	\??\c:\program files\EditExit.rmi	6723ff71492b60139a98a6497a87cf3b_JaffaCakes118.exe
File opened for modification	\??\c:\program files\ResumeOpen.wav	6723ff71492b60139a98a6497a87cf3b_JaffaCakes118.exe
File opened for modification	\??\c:\program files\DenyApprove.rm	6723ff71492b60139a98a6497a87cf3b_JaffaCakes118.exe
File opened for modification	\??\c:\program files\FormatProtect.dwg	6723ff71492b60139a98a6497a87cf3b_JaffaCakes118.exe
File opened for modification	\??\c:\program files\ReceiveCompare.tiff	6723ff71492b60139a98a6497a87cf3b_JaffaCakes118.exe
File opened for modification	\??\c:\program files\RevokeResume.3gpp	6723ff71492b60139a98a6497a87cf3b_JaffaCakes118.exe
File opened for modification	\??\c:\program files\StartStep.php	6723ff71492b60139a98a6497a87cf3b_JaffaCakes118.exe
File opened for modification	\??\c:\program files\UndoUnblock.txt	6723ff71492b60139a98a6497a87cf3b_JaffaCakes118.exe
File opened for modification	\??\c:\program files\ConvertClose.jpg	6723ff71492b60139a98a6497a87cf3b_JaffaCakes118.exe
File opened for modification	\??\c:\program files\ExitRestart.xps	6723ff71492b60139a98a6497a87cf3b_JaffaCakes118.exe
File opened for modification	\??\c:\program files\MountConfirm.midi	6723ff71492b60139a98a6497a87cf3b_JaffaCakes118.exe
File opened for modification	\??\c:\program files\PopBlock.shtml	6723ff71492b60139a98a6497a87cf3b_JaffaCakes118.exe
File opened for modification	\??\c:\program files\RepairGroup.eps	6723ff71492b60139a98a6497a87cf3b_JaffaCakes118.exe
File opened for modification	\??\c:\program files\UnregisterSplit.doc	6723ff71492b60139a98a6497a87cf3b_JaffaCakes118.exe
File opened for modification	\??\c:\program files\GroupCheckpoint.jfif	6723ff71492b60139a98a6497a87cf3b_JaffaCakes118.exe
File opened for modification	\??\c:\program files\InvokeDismount.htm	6723ff71492b60139a98a6497a87cf3b_JaffaCakes118.exe
File opened for modification	\??\c:\program files\StopPing.asf	6723ff71492b60139a98a6497a87cf3b_JaffaCakes118.exe
File opened for modification	\??\c:\program files\UndoCopy.tmp	6723ff71492b60139a98a6497a87cf3b_JaffaCakes118.exe
File opened for modification	\??\c:\program files\WatchLock.001	6723ff71492b60139a98a6497a87cf3b_JaffaCakes118.exe
File opened for modification	\??\c:\program files\EnableNew.dwg	6723ff71492b60139a98a6497a87cf3b_JaffaCakes118.exe
File opened for modification	\??\c:\program files\ExitEdit.asx	6723ff71492b60139a98a6497a87cf3b_JaffaCakes118.exe
File opened for modification	\??\c:\program files\MountExpand.ADTS	6723ff71492b60139a98a6497a87cf3b_JaffaCakes118.exe
File opened for modification	\??\c:\program files\OpenApprove.xml	6723ff71492b60139a98a6497a87cf3b_JaffaCakes118.exe

Modifies system certificate store 2 TTPs 14 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 5c000000010000000400000000080000040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d578112861900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa2200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	6723ff71492b60139a98a6497a87cf3b_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\30779E9315022E94856A3FF8BCF815B082F9AEFD\Blob = 0f0000000100000014000000a16d1faa61f7277cd9abc31c9c893ed7b41efb197f0000000100000066000000306406082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030506082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b0601050507030809000000010000005c000000305a06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b0601050507030853000000010000004600000030443020060a2b06010401f33906010130123010060a2b0601040182373c0101030200c03020060a2b06010401f33906010230123010060a2b0601040182373c0101030200c062000000010000002000000023804203ca45d8cde716b8c13bf3b448457fa06cc10250997fa01458317c41e50b000000010000001600000049007a0065006e00700065002e0063006f006d0000001400000001000000140000001d1c650ea8f2257bb491cfe4b1b1e6bd55746c051d0000000100000010000000d895a1485825711bece16ab985d86da27a000000010000000c000000300a06082b060105050703097e000000010000000800000000c0032f2df8d60168000000010000000800000000005899a154da0103000000010000001400000030779e9315022e94856a3ff8bcf815b082f9aefd2000000001000000f4050000308205f0308203d8a003020102020f06e846272f1f0a8fd1845ce369f6d5300d06092a864886f70d01010505003038310b300906035504061302455331143012060355040a0c0b495a454e504520532e412e3113301106035504030c0a497a656e70652e636f6d301e170d3037313231333133303832375a170d3337313231333038323732355a3038310b300906035504061302455331143012060355040a0c0b495a454e504520532e412e3113301106035504030c0a497a656e70652e636f6d30820222300d06092a864886f70d01010105000382020f003082020a0282020100c9d37aca0f1eaca786e816656ab1c21b45327195d9fe105bccafe7a579018f89c3caf25571f777be7794f372a42c44d89e929b143aa1e724900a0a568ec5d82694e1d948e12d3eda0a72dda39915da81a287f47b6e26778958add6eb0cb2417a736e6ddb7a7841e90888127e872e6611636c54fb3c9d72c0bc2effc2b7dd0d76e33ad7f7b468bea2f5e3816ec1466f5d8de04dc65455891a33310ab157b9a38a98c3ec3b34c59541697e75c23c20c561ba5147a0209093a1904bf34e7c8545549ad1052641b0b54d1d33bec403c8257cc170db3bf4092d542748ac2fe1c4ac3ec8cb924c53393723ecd301f9e009444d4d64c0e10d5a8722bcad1ba3fe26b515f3a7fc8419e9eca188b444698483f389d17406a9cc0bd6c2de27855026ca17b8c97a87562c1a011e6cbe13ad10acb524f53891a1d64bdaf1bbd2de47b5f1bc81f6596bcf1953e98d15cb4acba96f44e51b41cfe186a7cad06a9fbc4c8d06335aa285e59035a0625c164ef0e3a2fa031ab42c71b3582cde7b0bdb1a0febde211f06770603b0c9ef99fcc0b94f0b8628fed2b9eae3daa5c3476912e0dbf0f6198bed7b70d702d6ed8718282c04244c77e4488a1ac63b9ad40fcafa75d201405a8d79bf8bcf4bcfaa16c195e4ad4c8a3e1791d4b162e582e58004a4037e8dbfda7fa20f974f0cd30dfbd7d1e5727e1cc877ff5b9a0fb7ae0546e5f1a816ec47a4170203010001a381f63081f33081b00603551d110481a83081a5810f696e666f40697a656e70652e636f6da4819130818e31473045060355040a0c3e495a454e504520532e412e202d20434946204130313333373236302d524d6572632e5669746f7269612d4761737465697a205431303535204636322053383143304106035504090c3a417664612064656c204d65646974657272616e656f2045746f726269646561203134202d203031303130205669746f7269612d4761737465697a300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604141d1c650ea8f2257bb491cfe4b1b1e6bd55746c05300d06092a864886f70d01010505000382020100c781466f21184fa005efe7d5ba9750a260eda592141a529bf9f1884aa0dc7875d1d51f954ec5e7b769e622f4f829a82a89becfcf768fe331739d26d31c1b4716290768848ad2fbb11b243ed298182c248eaff67bea44161b2ac4faa097e9ea6c58a4ef75ab0062d19ded1336db220bb6f0d1f46e7b4687c29dbcbdbe423bb773d09a2a3cb45b121600af19398dad83501cc8814fbd020f3d9e3596eeefe4c2037c291c027ebd34275eaf53d69d17bf576ce9d08310afbf5d4def907b5d2bacecea7d002617cc025c63d71918a7ec2bc78a3e580e8a87e6839f4eb2341eac54094f1d020b397e810815b9a06913c8322be3ad6c13d6839d232db26da288867ea80d01260940d9ed284e8c93240fdbf11e4d7a7a5ae2a558f1dc8f5f99820c2ecfb2dd98cc92943ff909b3a596255b37f5128541e2194cc68a08c1dc187a0f1e3f8259a29a3e3ff9e0099ffdc1914b5dc97bd6b689fcdf1d7c86aacd03f20b5292f1626f7f87eaab76c96c50c21982afaa1df52028682ed5fc64374fcfa544c4be72b48c74b46ca7faf2bd7438432bdeaff9dcd8e09d9fdc3dcaa56344bf92a24f4c801cbb1ac39a4a04554dcaee260b1cbf02c564d39e7ed2d3911c4ba2f51ce5171c0d0c52a3911f9cf021ed02946fa9a049cae8438cc4f434da7c22a3c6663eb81b05885dbabcf7bce5dc143da786a8b6595221035e8be304ed4b2a1ea34f50	6723ff71492b60139a98a6497a87cf3b_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\30779E9315022E94856A3FF8BCF815B082F9AEFD\Blob = 190000000100000010000000ee8d49b7586d213f273a2c1e1b11bffb0f0000000100000014000000a16d1faa61f7277cd9abc31c9c893ed7b41efb197f0000000100000066000000306406082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030506082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b0601050507030809000000010000005c000000305a06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b0601050507030853000000010000004600000030443020060a2b06010401f33906010130123010060a2b0601040182373c0101030200c03020060a2b06010401f33906010230123010060a2b0601040182373c0101030200c062000000010000002000000023804203ca45d8cde716b8c13bf3b448457fa06cc10250997fa01458317c41e50b000000010000001600000049007a0065006e00700065002e0063006f006d0000001400000001000000140000001d1c650ea8f2257bb491cfe4b1b1e6bd55746c051d0000000100000010000000d895a1485825711bece16ab985d86da27a000000010000000c000000300a06082b060105050703097e000000010000000800000000c0032f2df8d60168000000010000000800000000005899a154da0103000000010000001400000030779e9315022e94856a3ff8bcf815b082f9aefd0400000001000000100000008714ab83c4041bf193c750e2d721ebef2000000001000000f4050000308205f0308203d8a003020102020f06e846272f1f0a8fd1845ce369f6d5300d06092a864886f70d01010505003038310b300906035504061302455331143012060355040a0c0b495a454e504520532e412e3113301106035504030c0a497a656e70652e636f6d301e170d3037313231333133303832375a170d3337313231333038323732355a3038310b300906035504061302455331143012060355040a0c0b495a454e504520532e412e3113301106035504030c0a497a656e70652e636f6d30820222300d06092a864886f70d01010105000382020f003082020a0282020100c9d37aca0f1eaca786e816656ab1c21b45327195d9fe105bccafe7a579018f89c3caf25571f777be7794f372a42c44d89e929b143aa1e724900a0a568ec5d82694e1d948e12d3eda0a72dda39915da81a287f47b6e26778958add6eb0cb2417a736e6ddb7a7841e90888127e872e6611636c54fb3c9d72c0bc2effc2b7dd0d76e33ad7f7b468bea2f5e3816ec1466f5d8de04dc65455891a33310ab157b9a38a98c3ec3b34c59541697e75c23c20c561ba5147a0209093a1904bf34e7c8545549ad1052641b0b54d1d33bec403c8257cc170db3bf4092d542748ac2fe1c4ac3ec8cb924c53393723ecd301f9e009444d4d64c0e10d5a8722bcad1ba3fe26b515f3a7fc8419e9eca188b444698483f389d17406a9cc0bd6c2de27855026ca17b8c97a87562c1a011e6cbe13ad10acb524f53891a1d64bdaf1bbd2de47b5f1bc81f6596bcf1953e98d15cb4acba96f44e51b41cfe186a7cad06a9fbc4c8d06335aa285e59035a0625c164ef0e3a2fa031ab42c71b3582cde7b0bdb1a0febde211f06770603b0c9ef99fcc0b94f0b8628fed2b9eae3daa5c3476912e0dbf0f6198bed7b70d702d6ed8718282c04244c77e4488a1ac63b9ad40fcafa75d201405a8d79bf8bcf4bcfaa16c195e4ad4c8a3e1791d4b162e582e58004a4037e8dbfda7fa20f974f0cd30dfbd7d1e5727e1cc877ff5b9a0fb7ae0546e5f1a816ec47a4170203010001a381f63081f33081b00603551d110481a83081a5810f696e666f40697a656e70652e636f6da4819130818e31473045060355040a0c3e495a454e504520532e412e202d20434946204130313333373236302d524d6572632e5669746f7269612d4761737465697a205431303535204636322053383143304106035504090c3a417664612064656c204d65646974657272616e656f2045746f726269646561203134202d203031303130205669746f7269612d4761737465697a300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604141d1c650ea8f2257bb491cfe4b1b1e6bd55746c05300d06092a864886f70d01010505000382020100c781466f21184fa005efe7d5ba9750a260eda592141a529bf9f1884aa0dc7875d1d51f954ec5e7b769e622f4f829a82a89becfcf768fe331739d26d31c1b4716290768848ad2fbb11b243ed298182c248eaff67bea44161b2ac4faa097e9ea6c58a4ef75ab0062d19ded1336db220bb6f0d1f46e7b4687c29dbcbdbe423bb773d09a2a3cb45b121600af19398dad83501cc8814fbd020f3d9e3596eeefe4c2037c291c027ebd34275eaf53d69d17bf576ce9d08310afbf5d4def907b5d2bacecea7d002617cc025c63d71918a7ec2bc78a3e580e8a87e6839f4eb2341eac54094f1d020b397e810815b9a06913c8322be3ad6c13d6839d232db26da288867ea80d01260940d9ed284e8c93240fdbf11e4d7a7a5ae2a558f1dc8f5f99820c2ecfb2dd98cc92943ff909b3a596255b37f5128541e2194cc68a08c1dc187a0f1e3f8259a29a3e3ff9e0099ffdc1914b5dc97bd6b689fcdf1d7c86aacd03f20b5292f1626f7f87eaab76c96c50c21982afaa1df52028682ed5fc64374fcfa544c4be72b48c74b46ca7faf2bd7438432bdeaff9dcd8e09d9fdc3dcaa56344bf92a24f4c801cbb1ac39a4a04554dcaee260b1cbf02c564d39e7ed2d3911c4ba2f51ce5171c0d0c52a3911f9cf021ed02946fa9a049cae8438cc4f434da7c22a3c6663eb81b05885dbabcf7bce5dc143da786a8b6595221035e8be304ed4b2a1ea34f50	6723ff71492b60139a98a6497a87cf3b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349	6723ff71492b60139a98a6497a87cf3b_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 1900000001000000100000002aa1c05e2ae606f198c2c5e937c97aa20f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349040000000100000010000000497904b0eb8719ac47b0bc11519b74d0200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	6723ff71492b60139a98a6497a87cf3b_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 040000000100000010000000497904b0eb8719ac47b0bc11519b74d0030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e3491d00000001000000100000002e0d6875874a44c820912e85e964cfdb140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef453000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	6723ff71492b60139a98a6497a87cf3b_JaffaCakes118.exe
Key created	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405	6723ff71492b60139a98a6497a87cf3b_JaffaCakes118.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-540404634-651139247-2967210625-1000\SOFTWARE\Microsoft\SystemCertificates\CA\Certificates\A053375BFE84E8B748782C7CEE15827A6AF5A405\Blob = 030000000100000014000000a053375bfe84e8b748782c7cee15827a6af5a405140000000100000014000000142eb317b75856cbae500940e61faf9d8b14c2c6040000000100000010000000e829e65d7c4307d6fbc13c179e037a360f0000000100000020000000444ebd67bb83f8807b3921e938ac9178b882bd50aadb11231f044cf5f08df7ce190000000100000010000000f044424c506513d62804c04f719403f95c0000000100000004000000000800001800000001000000100000002fe1f70bb05d7c92335bc5e05b984da620000000010000001a05000030820516308202fea003020102021100912b084acf0c18a753f6d62e25a75f5a300d06092a864886f70d01010b0500304f310b300906035504061302555331293027060355040a1320496e7465726e65742053656375726974792052657365617263682047726f7570311530130603550403130c4953524720526f6f74205831301e170d3230303930343030303030305a170d3235303931353136303030305a3032310b300906035504061302555331163014060355040a130d4c6574277320456e6372797074310b300906035504031302523330820122300d06092a864886f70d01010105000382010f003082010a0282010100bb021528ccf6a094d30f12ec8d5592c3f882f199a67a4288a75d26aab52bb9c54cb1af8e6bf975c8a3d70f4794145535578c9ea8a23919f5823c42a94e6ef53bc32edb8dc0b05cf35938e7edcf69f05a0b1bbec094242587fa3771b313e71cace19befdbe43b45524596a9c153ce34c852eeb5aeed8fde6070e2a554abb66d0e97a540346b2bd3bc66eb66347cfa6b8b8f572999f830175dba726ffb81c5add286583d17c7e709bbf12bf786dcc1da715dd446e3ccad25c188bc60677566b3f118f7a25ce653ff3a88b647a5ff1318ea9809773f9d53f9cf01e5f5a6701714af63a4ff99b3939ddc53a706fe48851da169ae2575bb13cc5203f5ed51a18bdb150203010001a382010830820104300e0603551d0f0101ff040403020186301d0603551d250416301406082b0601050507030206082b0601050507030130120603551d130101ff040830060101ff020100301d0603551d0e04160414142eb317b75856cbae500940e61faf9d8b14c2c6301f0603551d2304183016801479b459e67bb6e5e40173800888c81a58f6e99b6e303206082b0601050507010104263024302206082b060105050730028616687474703a2f2f78312e692e6c656e63722e6f72672f30270603551d1f0420301e301ca01aa0188616687474703a2f2f78312e632e6c656e63722e6f72672f30220603551d20041b30193008060667810c010201300d060b2b0601040182df13010101300d06092a864886f70d01010b0500038202010085ca4e473ea3f7854485bcd56778b29863ad754d1e963d336572542d81a0eac3edf820bf5fccb77000b76e3bf65e94dee4209fa6ef8bb203e7a2b5163c91ceb4ed3902e77c258a47e6656e3f46f4d9f0ce942bee54ce12bc8c274bb8c1982fa2afcd71914a08b7c8b8237b042d08f908573e83d904330a472178098227c32ac89bb9ce5cf264c8c0be79c04f8e6d440c5e92bb2ef78b10e1e81d4429db5920ed63b921f81226949357a01d6504c10a22ae100d4397a1181f7ee0e08637b55ab1bd30bf876e2b2aff214e1b05c3f51897f05eacc3a5b86af02ebc3b33b9ee4bdeccfce4af840b863fc0554336f668e136176a8e99d1ffa540a734b7c0d063393539756ef2ba76c89302e9a94b6c17ce0c02d9bd81fb9fb768d40665b3823d7753f88e7903ad0a3107752a43d8559772c4290ef7c45d4ec8ae468430d7f2855f18a179bbe75e708b07e18693c3b98fdc6171252aafdfed255052688b92dce5d6b5e3da7dd0876c842131ae82f5fbb9abc889173de14ce5380ef6bd2bbd968114ebd5db3d20a77e59d3e2f858f95bb848cdfe5c4f1629fe1e5523afc811b08dea7c9390172ffdaca20947463ff0e9b0b7ff284d6832d6675e1e69a393b8f59d8b2f0bd25243a66f3257654d3281df3853855d7e5d6629eab8dde495b5cdb5561242cdc44ec6253844506decce005518fee94964d44eca979cb45bc073a8abb847c2	6723ff71492b60139a98a6497a87cf3b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\30779E9315022E94856A3FF8BCF815B082F9AEFD	6723ff71492b60139a98a6497a87cf3b_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\30779E9315022E94856A3FF8BCF815B082F9AEFD\Blob = 0400000001000000100000008714ab83c4041bf193c750e2d721ebef03000000010000001400000030779e9315022e94856a3ff8bcf815b082f9aefd68000000010000000800000000005899a154da017e000000010000000800000000c0032f2df8d6017a000000010000000c000000300a06082b060105050703091d0000000100000010000000d895a1485825711bece16ab985d86da21400000001000000140000001d1c650ea8f2257bb491cfe4b1b1e6bd55746c050b000000010000001600000049007a0065006e00700065002e0063006f006d00000062000000010000002000000023804203ca45d8cde716b8c13bf3b448457fa06cc10250997fa01458317c41e553000000010000004600000030443020060a2b06010401f33906010130123010060a2b0601040182373c0101030200c03020060a2b06010401f33906010230123010060a2b0601040182373c0101030200c009000000010000005c000000305a06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703087f0000000100000066000000306406082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030506082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f0000000100000014000000a16d1faa61f7277cd9abc31c9c893ed7b41efb192000000001000000f4050000308205f0308203d8a003020102020f06e846272f1f0a8fd1845ce369f6d5300d06092a864886f70d01010505003038310b300906035504061302455331143012060355040a0c0b495a454e504520532e412e3113301106035504030c0a497a656e70652e636f6d301e170d3037313231333133303832375a170d3337313231333038323732355a3038310b300906035504061302455331143012060355040a0c0b495a454e504520532e412e3113301106035504030c0a497a656e70652e636f6d30820222300d06092a864886f70d01010105000382020f003082020a0282020100c9d37aca0f1eaca786e816656ab1c21b45327195d9fe105bccafe7a579018f89c3caf25571f777be7794f372a42c44d89e929b143aa1e724900a0a568ec5d82694e1d948e12d3eda0a72dda39915da81a287f47b6e26778958add6eb0cb2417a736e6ddb7a7841e90888127e872e6611636c54fb3c9d72c0bc2effc2b7dd0d76e33ad7f7b468bea2f5e3816ec1466f5d8de04dc65455891a33310ab157b9a38a98c3ec3b34c59541697e75c23c20c561ba5147a0209093a1904bf34e7c8545549ad1052641b0b54d1d33bec403c8257cc170db3bf4092d542748ac2fe1c4ac3ec8cb924c53393723ecd301f9e009444d4d64c0e10d5a8722bcad1ba3fe26b515f3a7fc8419e9eca188b444698483f389d17406a9cc0bd6c2de27855026ca17b8c97a87562c1a011e6cbe13ad10acb524f53891a1d64bdaf1bbd2de47b5f1bc81f6596bcf1953e98d15cb4acba96f44e51b41cfe186a7cad06a9fbc4c8d06335aa285e59035a0625c164ef0e3a2fa031ab42c71b3582cde7b0bdb1a0febde211f06770603b0c9ef99fcc0b94f0b8628fed2b9eae3daa5c3476912e0dbf0f6198bed7b70d702d6ed8718282c04244c77e4488a1ac63b9ad40fcafa75d201405a8d79bf8bcf4bcfaa16c195e4ad4c8a3e1791d4b162e582e58004a4037e8dbfda7fa20f974f0cd30dfbd7d1e5727e1cc877ff5b9a0fb7ae0546e5f1a816ec47a4170203010001a381f63081f33081b00603551d110481a83081a5810f696e666f40697a656e70652e636f6da4819130818e31473045060355040a0c3e495a454e504520532e412e202d20434946204130313333373236302d524d6572632e5669746f7269612d4761737465697a205431303535204636322053383143304106035504090c3a417664612064656c204d65646974657272616e656f2045746f726269646561203134202d203031303130205669746f7269612d4761737465697a300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604141d1c650ea8f2257bb491cfe4b1b1e6bd55746c05300d06092a864886f70d01010505000382020100c781466f21184fa005efe7d5ba9750a260eda592141a529bf9f1884aa0dc7875d1d51f954ec5e7b769e622f4f829a82a89becfcf768fe331739d26d31c1b4716290768848ad2fbb11b243ed298182c248eaff67bea44161b2ac4faa097e9ea6c58a4ef75ab0062d19ded1336db220bb6f0d1f46e7b4687c29dbcbdbe423bb773d09a2a3cb45b121600af19398dad83501cc8814fbd020f3d9e3596eeefe4c2037c291c027ebd34275eaf53d69d17bf576ce9d08310afbf5d4def907b5d2bacecea7d002617cc025c63d71918a7ec2bc78a3e580e8a87e6839f4eb2341eac54094f1d020b397e810815b9a06913c8322be3ad6c13d6839d232db26da288867ea80d01260940d9ed284e8c93240fdbf11e4d7a7a5ae2a558f1dc8f5f99820c2ecfb2dd98cc92943ff909b3a596255b37f5128541e2194cc68a08c1dc187a0f1e3f8259a29a3e3ff9e0099ffdc1914b5dc97bd6b689fcdf1d7c86aacd03f20b5292f1626f7f87eaab76c96c50c21982afaa1df52028682ed5fc64374fcfa544c4be72b48c74b46ca7faf2bd7438432bdeaff9dcd8e09d9fdc3dcaa56344bf92a24f4c801cbb1ac39a4a04554dcaee260b1cbf02c564d39e7ed2d3911c4ba2f51ce5171c0d0c52a3911f9cf021ed02946fa9a049cae8438cc4f434da7c22a3c6663eb81b05885dbabcf7bce5dc143da786a8b6595221035e8be304ed4b2a1ea34f50	6723ff71492b60139a98a6497a87cf3b_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\47BEABC922EAE80E78783462A79F45C254FDE68B	6723ff71492b60139a98a6497a87cf3b_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\47BEABC922EAE80E78783462A79F45C254FDE68B\Blob = 19000000010000001000000021d008b47b7a2a81c8435903ded424c903000000010000001400000047beabc922eae80e78783462a79f45c254fde68b1d000000010000001000000070253fbcbde32a014d38c1993098ad991400000001000000140000003a9a8507106728b6eff6bd05416e20c194da0fde62000000010000002000000045140b3247eb9cc8c5b4f0d7b53091f73292089e6e5a63e2749dd3aca9198eda53000000010000002500000030233021060b6086480186fd6d0107170330123010060a2b0601040182373c0101030200c00b000000010000005200000047006f00200044006100640064007900200052006f006f007400200043006500720074006900660069006300610074006500200041007500740068006f007200690074007900200013202000470032000000090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b060105050703080f00000001000000200000003560e45b41e46b8f36537025d1d5bc02d9652a10645b0eff69e8b6a52191f3352000000001000000c9030000308203c5308202ada003020102020100300d06092a864886f70d01010b0500308183310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c65311a3018060355040a1311476f44616464792e636f6d2c20496e632e3131302f06035504031328476f20446164647920526f6f7420436572746966696361746520417574686f72697479202d204732301e170d3039303930313030303030305a170d3337313233313233353935395a308183310b30090603550406130255533110300e060355040813074172697a6f6e61311330110603550407130a53636f74747364616c65311a3018060355040a1311476f44616464792e636f6d2c20496e632e3131302f06035504031328476f20446164647920526f6f7420436572746966696361746520417574686f72697479202d20473230820122300d06092a864886f70d01010105000382010f003082010a0282010100bf716208f1fa5934f71bc918a3f7804958e9228313a6c52043013b84f1e685499f27eaf6841b4ea0b4db7098c73201b1053e074eeef4fa4f2f593022e7ab19566be28007fcf316758039517be5f935b6744ea98d8213e4b63fa90383faa2be8a156a7fde0bc3b6191405caeac3a804943b467c320df3006622c88d696d368c1118b7d3b21c60b438fa028cced3dd4607de0a3eeb5d7cc87cfbb02b53a4926269512505611a44818c2ca9439623dfac3a819a0e29c51ca9e95d1eb69e9e300a39cef18880fb4b5dcc32ec85624325340256270191b43b702a3f6eb1e89c88017d9fd4f9db536d609dbf2ce758abb85f46fccec41b033c09eb49315c6946b3e0470203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604143a9a8507106728b6eff6bd05416e20c194da0fde300d06092a864886f70d01010b0500038201010099db5d79d5f99759670361f17e3b0631752da1208e4f6587b4f7a69cbcd8e92fd0db5aeecf748c73b43842da057bf80275b8fda5b1d7aef6d7de13cb53107e8a46d197fab72e2b11ab90b02780f9e89f5ae9379fabe4df6cb385179d3dd9244f799135d65f04eb8083ab9a022db510f4d890c7047340ed7225a0a99fec9eab68129957c68f123a09a4bd44fd061537c19be432a3ed38e8d864f32c7e14fc02ea9fcdff076817db2290382d7a8dd154f169e35f33ca7a3d7b0ae3ca7f5f39e5e275bac5761833ce2cf02f4cadf7b1e7ce4fa8c49b4a5406c57f7dd5080fe21cfe7e17b8ac5ef6d416b243090c4df6a76bb4998465ca7a88e2e244be5cf7ea1cf5	6723ff71492b60139a98a6497a87cf3b_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\D1EB23A46D17D68FD92564C2F1F1601764D8E349\Blob = 0f00000001000000140000003e8e6487f8fd27d322a269a71edaac5d57811286090000000100000054000000305206082b0601050507030206082b06010505070303060a2b0601040182370a030406082b0601050507030406082b0601050507030606082b0601050507030706082b0601050507030106082b0601050507030853000000010000004300000030413022060c2b06010401b231010201050130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c0620000000100000020000000d7a7a0fb5d7e2731d771e9484ebcdef71d5f0c3e0a2948782bc83ee0ea699ef40b000000010000001c0000005300650063007400690067006f002000280041004100410029000000140000000100000014000000a0110a233e96f107ece2af29ef82a57fd030a4b41d00000001000000100000002e0d6875874a44c820912e85e964cfdb030000000100000014000000d1eb23a46d17d68fd92564c2f1f1601764d8e349200000000100000036040000308204323082031aa003020102020101300d06092a864886f70d0101050500307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c18414141204365727469666963617465205365727669636573301e170d3034303130313030303030305a170d3238313233313233353935395a307b310b3009060355040613024742311b301906035504080c1247726561746572204d616e636865737465723110300e06035504070c0753616c666f7264311a3018060355040a0c11436f6d6f646f204341204c696d697465643121301f06035504030c1841414120436572746966696361746520536572766963657330820122300d06092a864886f70d01010105000382010f003082010a0282010100be409df46ee1ea76871c4d45448ebe46c883069dc12afe181f8ee402faf3ab5d508a16310b9a06d0c57022cd492d5463ccb66e68460b53eacb4c24c0bc724eeaf115aef4549a120ac37ab23360e2da8955f32258f3dedccfef8386a28c944f9f68f29890468427c776bfe3cc352c8b5e07646582c048b0a891f9619f762050a891c766b5eb78620356f08a1a13ea31a31ea099fd38f6f62732586f07f56bb8fb142bafb7aaccd6635f738cda0599a838a8cb17783651ace99ef4783a8dcf0fd942e2980cab2f9f0e01deef9f9949f12ddfac744d1b98b547c5e529d1f99018c7629cbe83c7267b3e8a25c7c0dd9de6356810209d8fd8ded2c3849c0d5ee82fc90203010001a381c03081bd301d0603551d0e04160414a0110a233e96f107ece2af29ef82a57fd030a4b4300e0603551d0f0101ff040403020106300f0603551d130101ff040530030101ff307b0603551d1f047430723038a036a0348632687474703a2f2f63726c2e636f6d6f646f63612e636f6d2f414141436572746966696361746553657276696365732e63726c3036a034a0328630687474703a2f2f63726c2e636f6d6f646f2e6e65742f414141436572746966696361746553657276696365732e63726c300d06092a864886f70d010105050003820101000856fc02f09be8ffa4fad67bc64480ce4fc4c5f60058cca6b6bc1449680476e8e6ee5dec020f60d68d50184f264e01e3e6b0a5eebfbc745441bffdfc12b8c74f5af48960057f60b7054af3f6f1c2bfc4b97486b62d7d6bccd2f346dd2fc6e06ac3c334032c7d96dd5ac20ea70a99c1058bab0c2ff35c3acf6c37550987de53406c58effcb6ab656e04f61bdc3ce05a15c69ed9f15948302165036cece92173ec9b03a1e037ada015188ffaba02cea72ca910132cd4e50826ab229760f8905e74d4a29a53bdf2a968e0a26ec2d76cb1a30f9ebfeb68e756f2aef2e32b383a0981b56b85d7be2ded3f1ab7b263e2f5622c82d46a004150f139839f95e93696986e	6723ff71492b60139a98a6497a87cf3b_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\30779E9315022E94856A3FF8BCF815B082F9AEFD\Blob = 5c0000000100000004000000001000000400000001000000100000008714ab83c4041bf193c750e2d721ebef03000000010000001400000030779e9315022e94856a3ff8bcf815b082f9aefd68000000010000000800000000005899a154da017e000000010000000800000000c0032f2df8d6017a000000010000000c000000300a06082b060105050703091d0000000100000010000000d895a1485825711bece16ab985d86da21400000001000000140000001d1c650ea8f2257bb491cfe4b1b1e6bd55746c050b000000010000001600000049007a0065006e00700065002e0063006f006d00000062000000010000002000000023804203ca45d8cde716b8c13bf3b448457fa06cc10250997fa01458317c41e553000000010000004600000030443020060a2b06010401f33906010130123010060a2b0601040182373c0101030200c03020060a2b06010401f33906010230123010060a2b0601040182373c0101030200c009000000010000005c000000305a06082b0601050507030206082b0601050507030306082b0601050507030406082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703087f0000000100000066000000306406082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030506082b0601050508020206082b0601050507030606082b0601050507030706082b0601050507030906082b0601050507030106082b060105050703080f0000000100000014000000a16d1faa61f7277cd9abc31c9c893ed7b41efb19190000000100000010000000ee8d49b7586d213f273a2c1e1b11bffb2000000001000000f4050000308205f0308203d8a003020102020f06e846272f1f0a8fd1845ce369f6d5300d06092a864886f70d01010505003038310b300906035504061302455331143012060355040a0c0b495a454e504520532e412e3113301106035504030c0a497a656e70652e636f6d301e170d3037313231333133303832375a170d3337313231333038323732355a3038310b300906035504061302455331143012060355040a0c0b495a454e504520532e412e3113301106035504030c0a497a656e70652e636f6d30820222300d06092a864886f70d01010105000382020f003082020a0282020100c9d37aca0f1eaca786e816656ab1c21b45327195d9fe105bccafe7a579018f89c3caf25571f777be7794f372a42c44d89e929b143aa1e724900a0a568ec5d82694e1d948e12d3eda0a72dda39915da81a287f47b6e26778958add6eb0cb2417a736e6ddb7a7841e90888127e872e6611636c54fb3c9d72c0bc2effc2b7dd0d76e33ad7f7b468bea2f5e3816ec1466f5d8de04dc65455891a33310ab157b9a38a98c3ec3b34c59541697e75c23c20c561ba5147a0209093a1904bf34e7c8545549ad1052641b0b54d1d33bec403c8257cc170db3bf4092d542748ac2fe1c4ac3ec8cb924c53393723ecd301f9e009444d4d64c0e10d5a8722bcad1ba3fe26b515f3a7fc8419e9eca188b444698483f389d17406a9cc0bd6c2de27855026ca17b8c97a87562c1a011e6cbe13ad10acb524f53891a1d64bdaf1bbd2de47b5f1bc81f6596bcf1953e98d15cb4acba96f44e51b41cfe186a7cad06a9fbc4c8d06335aa285e59035a0625c164ef0e3a2fa031ab42c71b3582cde7b0bdb1a0febde211f06770603b0c9ef99fcc0b94f0b8628fed2b9eae3daa5c3476912e0dbf0f6198bed7b70d702d6ed8718282c04244c77e4488a1ac63b9ad40fcafa75d201405a8d79bf8bcf4bcfaa16c195e4ad4c8a3e1791d4b162e582e58004a4037e8dbfda7fa20f974f0cd30dfbd7d1e5727e1cc877ff5b9a0fb7ae0546e5f1a816ec47a4170203010001a381f63081f33081b00603551d110481a83081a5810f696e666f40697a656e70652e636f6da4819130818e31473045060355040a0c3e495a454e504520532e412e202d20434946204130313333373236302d524d6572632e5669746f7269612d4761737465697a205431303535204636322053383143304106035504090c3a417664612064656c204d65646974657272616e656f2045746f726269646561203134202d203031303130205669746f7269612d4761737465697a300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604141d1c650ea8f2257bb491cfe4b1b1e6bd55746c05300d06092a864886f70d01010505000382020100c781466f21184fa005efe7d5ba9750a260eda592141a529bf9f1884aa0dc7875d1d51f954ec5e7b769e622f4f829a82a89becfcf768fe331739d26d31c1b4716290768848ad2fbb11b243ed298182c248eaff67bea44161b2ac4faa097e9ea6c58a4ef75ab0062d19ded1336db220bb6f0d1f46e7b4687c29dbcbdbe423bb773d09a2a3cb45b121600af19398dad83501cc8814fbd020f3d9e3596eeefe4c2037c291c027ebd34275eaf53d69d17bf576ce9d08310afbf5d4def907b5d2bacecea7d002617cc025c63d71918a7ec2bc78a3e580e8a87e6839f4eb2341eac54094f1d020b397e810815b9a06913c8322be3ad6c13d6839d232db26da288867ea80d01260940d9ed284e8c93240fdbf11e4d7a7a5ae2a558f1dc8f5f99820c2ecfb2dd98cc92943ff909b3a596255b37f5128541e2194cc68a08c1dc187a0f1e3f8259a29a3e3ff9e0099ffdc1914b5dc97bd6b689fcdf1d7c86aacd03f20b5292f1626f7f87eaab76c96c50c21982afaa1df52028682ed5fc64374fcfa544c4be72b48c74b46ca7faf2bd7438432bdeaff9dcd8e09d9fdc3dcaa56344bf92a24f4c801cbb1ac39a4a04554dcaee260b1cbf02c564d39e7ed2d3911c4ba2f51ce5171c0d0c52a3911f9cf021ed02946fa9a049cae8438cc4f434da7c22a3c6663eb81b05885dbabcf7bce5dc143da786a8b6595221035e8be304ed4b2a1ea34f50	6723ff71492b60139a98a6497a87cf3b_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 1 IoCs

description	pid	Process
Token: SeTakeOwnershipPrivilege	2508	6723ff71492b60139a98a6497a87cf3b_JaffaCakes118.exe

C:\Users\Admin\AppData\Local\Temp\6723ff71492b60139a98a6497a87cf3b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6723ff71492b60139a98a6497a87cf3b_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- Enumerates connected drives
- Sets desktop wallpaper using registry
- Drops file in Program Files directory
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
PID:2508

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Defacement

T1491

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\mx813nrt2-readme.txt

Filesize
7KB

MD5
1f7be19c21a9b9f394727570c99dd404

SHA1
32bb2edf860452537ac57302d69490849bfa966a

SHA256
261865f52553f23c820f2a7af76cd8dd81e7ca90d5e304d06c5fa847ebbfabd1

SHA512
c5a9caec8335aa719879f2aff76fb2fec04cd9e3650ff567d44800e2b049d8d997d36607add1fdcbbe24b2f2138e6622e591a64a281df2ebccfa8fdd00dd45bf

Download Submit

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads