orcus | 28fea3814d7605da249dca493eb491e1261e0a3a87ab2790328ed9b76bb6fe8a

Analysis

max time kernel
143s
max time network
148s
platform
windows7_x64
resource
win7-20240508-en
resource tags

arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system
submitted
22-05-2024 14:32

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

67966a3b68b25438e90cd3d109dd5831_JaffaCakes118.exe
Size

1.5MB
MD5

67966a3b68b25438e90cd3d109dd5831
SHA1

e721a74be529652701fe07ced4962f225f055366
SHA256

28fea3814d7605da249dca493eb491e1261e0a3a87ab2790328ed9b76bb6fe8a
SHA512

22df6e3862e27bae6eab8e109953b4a2214ce729dd1c9c7d3986a16eb3acc06940eece3efed076556eaf00f71a9541c33d2495c6ed397a65efada8c7d47070a6
SSDEEP

24576:wxrDzROqOMsaEB7aSsv5QJiGFdEkk+SRgTfcOwtTe5CgQ:wx/zROnoEVaSwpkTSRkUR64gQ

Score

10^/10

orcus rat spyware stealer

Malware Config

Extracted

Family

orcus

linkadrum.nl:3444

Mutex

6c659710defd46d394487b3c49fa651e

Attributes

autostart_method
TaskScheduler
enable_keylogger
true
install_path
%programdata%\IIS\web.deployment.exe
reconnect_delay
10000
registry_keyname
web.deployment
taskscheduler_taskname
web.deployment
watchdog_path
AppData\OrcusWatchdog.exe

Signatures

Orcus
Orcus is a Remote Access Trojan that is being sold on underground forums.
rat spyware stealer orcus

Orcurs Rat Executable 5 IoCs

resource	yara_rule
behavioral1/memory/920-87-0x0000000000400000-0x00000000004E8000-memory.dmp	orcus
behavioral1/memory/920-88-0x0000000000400000-0x00000000004E8000-memory.dmp	orcus
behavioral1/memory/920-91-0x0000000000400000-0x00000000004E8000-memory.dmp	orcus
behavioral1/memory/920-93-0x0000000000400000-0x00000000004E8000-memory.dmp	orcus
behavioral1/memory/920-94-0x0000000000400000-0x00000000004E8000-memory.dmp	orcus

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Optimizesapp.ErtrkqyPyGHS4roI.lnk	Optimizesapp.exe

Executes dropped EXE 2 IoCs

pid	Process
888	Optimizesapp.exe
920	Optimizesapp.exe

Loads dropped DLL 1 IoCs

pid	Process
888	Optimizesapp.exe

Suspicious use of SetThreadContext 1 IoCs

description	pid	Process	procid_target
PID 888 set thread context of 920	888	Optimizesapp.exe	35

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies system certificate store 2 TTPs 8 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 190000000100000010000000749966cecc95c1874194ca7203f9b6200300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d431d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0b000000010000001200000044006900670069004300650072007400000014000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b060105050703080f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa62000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	67966a3b68b25438e90cd3d109dd5831_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 04000000010000001000000087ce0b7b2a0e4900e158719b37a893720f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d43190000000100000010000000749966cecc95c1874194ca7203f9b6202000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	67966a3b68b25438e90cd3d109dd5831_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81	67966a3b68b25438e90cd3d109dd5831_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce09000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c01400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e000000740068006100770074006500000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b812000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	67966a3b68b25438e90cd3d109dd5831_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d03000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b810b000000010000000e00000074006800610077007400650000001d00000001000000100000005b3b67000eeb80022e42605b6b3b72401400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb57485053000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c009000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b060105050703030f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	67966a3b68b25438e90cd3d109dd5831_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43	67966a3b68b25438e90cd3d109dd5831_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\0563B8630D62D75ABBC8AB1E4BDFB5A899B24D43\Blob = 0f00000001000000140000006dca5bd00dcf1c0f327059d374b29ca6e3c50aa6090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000045eba2aff492cb82312d518ba7a7219df36dc80f0b00000001000000120000004400690067006900430065007200740000001d00000001000000100000004f5f106930398d09107b40c3c7ca8f1c0300000001000000140000000563b8630d62d75abbc8ab1e4bdfb5a899b24d432000000001000000bb030000308203b73082029fa00302010202100ce7e0e517d846fe8fe560fc1bf03039300d06092a864886f70d01010505003065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3065310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d312430220603550403131b4469676943657274204173737572656420494420526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100ad0e15cee443805cb187f3b760f97112a5aedc269488aaf4cef520392858600cf880daa9159532613cb5b128848a8adc9f0a0c83177a8f90ac8ae779535c31842af60f98323676ccdedd3ca8a2ef6afb21f25261df9f20d71fe2b1d9fe1864d2125b5ff9581835bc47cda136f96b7fd4b0383ec11bc38c33d9d82f18fe280fb3a783d6c36e44c061359616fe599c8b766dd7f1a24b0d2bff0b72da9e60d08e9035c678558720a1cfe56d0ac8497c3198336c22e987d0325aa2ba138211ed39179d993a72a1e6faa4d9d5173175ae857d22ae3f014686f62879c8b1dae45717c47e1c0eb0b492a656b3bdb297edaaa7f0b7c5a83f9516d0ffa196eb085f18774f0203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041445eba2aff492cb82312d518ba7a7219df36dc80f301f0603551d2304183016801445eba2aff492cb82312d518ba7a7219df36dc80f300d06092a864886f70d01010505000382010100a20ebcdfe2edf0e372737a6494bff77266d832e4427562ae87ebf2d5d9de56b39fccce1428b90d97605c124c58e4d33d834945589735691aa847ea56c679ab12d8678184df7f093c94e6b8262c20bd3db32889f75fff22e297841fe965ef87e0dfc16749b35debb2092aeb26ed78be7d3f2bf3b726356d5f8901b6495b9f01059bab3d25c1ccb67fc2f16f86c6fa6468eb812d94eb42b7fa8c1edd62f1be5067b76cbdf3f11f6b0c3607167f377ca95b6d7af112466083d72704be4bce97bec3672a6811df80e70c3366bf130d146ef37f1f63101efa8d1b256d6c8fa5b76101b1d2a326a110719dade2c3f9c39951b72b0708ce2ee650b2a7fa0a452fa2f0f2	67966a3b68b25438e90cd3d109dd5831_JaffaCakes118.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\91C6D6EE3E8AC86384E548C299295C756C817B81\Blob = 0400000001000000100000008ccadc0b22cef5be72ac411a11a8d8120f000000010000001400000085fef11b4f47fe3952f98301c9f98976fefee0ce09000000010000002a000000302806082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030353000000010000002500000030233021060b6086480186f8450107300130123010060a2b0601040182373c0101030200c01400000001000000140000007b5b45cfafcecb7afd31921a6ab6f346eb5748501d00000001000000100000005b3b67000eeb80022e42605b6b3b72400b000000010000000e000000740068006100770074006500000003000000010000001400000091c6d6ee3e8ac86384e548c299295c756c817b81190000000100000010000000dc73f9b71e16d51d26527d32b11a6a3d2000000001000000240400003082042030820308a0030201020210344ed55720d5edec49f42fce37db2b6d300d06092a864886f70d01010505003081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f74204341301e170d3036313131373030303030305a170d3336303731363233353935395a3081a9310b300906035504061302555331153013060355040a130c7468617774652c20496e632e31283026060355040b131f43657274696669636174696f6e205365727669636573204469766973696f6e31383036060355040b132f2863292032303036207468617774652c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79311f301d06035504031316746861777465205072696d61727920526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100aca0f0fb8059d49cc7a4cf9da159730910450c0d2c6e68f16c5b4868495937fc0b3319c2777fcc102d95341ce6eb4d09a71cd2b8c9973602b789d4245f06c0cc4494948d02626feb5add118d289a5c8490107a0dbd74662f6a38a0e2d55444eb1d079f07ba6feee9fd4e0b29f53e84a001f19cabf81c7e89a4e8a1d871650da3517beebcd222600db95b9ddfbafc515b0baf98b2e92ee904e86287de2bc8d74ec14c641eddcf8758ba4a4fca68071d1c9d4ac6d52f91cc7c71721cc5c067eb32fdc9925c94da85c09bbf537d2b09f48c9d911f976a52cbde0936a477d87b875044d53e6e2969fb3949261e09a5807b402debe82785c9fe61fd7ee67c971dd59d0203010001a3423040300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106301d0603551d0e041604147b5b45cfafcecb7afd31921a6ab6f346eb574850300d06092a864886f70d010105050003820101007911c04bb391b6fcf0e967d40d6e45be55e893d2ce033fedda25b01d57cb1e3a76a04cec5076e864720ca4a9f1b88bd6d68784bb32e54111c077d9b3609deb1bd5d16e4444a9a601ec55621d77b85c8e48497c9c3b5711acad73378e2f785c906847d96060e6fc073d222017c4f716e9c4d872f9c8737cdf162f15a93efd6a27b6a1eb5aba981fd5e34d640a9d13c861baf5391c87bab8bd7b227ff6feac4079e5ac106f3d8f1b79768bc437b3211884e53600eb632099b9e9fe3304bb41c8c102f94463209e81ce42d3d63f2c76d3639c59dd8fa6e10ea02e41f72e9547cfbcfd33f3f60b617e7e912b8147c22730eea7105d378f5c392be404f07b8d568c68	67966a3b68b25438e90cd3d109dd5831_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 3 IoCs

description	pid	Process
Token: SeDebugPrivilege	1956	67966a3b68b25438e90cd3d109dd5831_JaffaCakes118.exe
Token: SeDebugPrivilege	888	Optimizesapp.exe
Token: SeDebugPrivilege	920	Optimizesapp.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
920	Optimizesapp.exe

Suspicious use of WriteProcessMemory 29 IoCs

description	pid	Process	procid_target
PID 1956 wrote to memory of 2512	1956	67966a3b68b25438e90cd3d109dd5831_JaffaCakes118.exe	28
PID 1956 wrote to memory of 2512	1956	67966a3b68b25438e90cd3d109dd5831_JaffaCakes118.exe	28
PID 1956 wrote to memory of 2512	1956	67966a3b68b25438e90cd3d109dd5831_JaffaCakes118.exe	28
PID 1956 wrote to memory of 2512	1956	67966a3b68b25438e90cd3d109dd5831_JaffaCakes118.exe	28
PID 1956 wrote to memory of 1812	1956	67966a3b68b25438e90cd3d109dd5831_JaffaCakes118.exe	32
PID 1956 wrote to memory of 1812	1956	67966a3b68b25438e90cd3d109dd5831_JaffaCakes118.exe	32
PID 1956 wrote to memory of 1812	1956	67966a3b68b25438e90cd3d109dd5831_JaffaCakes118.exe	32
PID 1956 wrote to memory of 1812	1956	67966a3b68b25438e90cd3d109dd5831_JaffaCakes118.exe	32
PID 548 wrote to memory of 888	548	explorer.exe	34
PID 548 wrote to memory of 888	548	explorer.exe	34
PID 548 wrote to memory of 888	548	explorer.exe	34
PID 548 wrote to memory of 888	548	explorer.exe	34
PID 888 wrote to memory of 920	888	Optimizesapp.exe	35
PID 888 wrote to memory of 920	888	Optimizesapp.exe	35
PID 888 wrote to memory of 920	888	Optimizesapp.exe	35
PID 888 wrote to memory of 920	888	Optimizesapp.exe	35
PID 888 wrote to memory of 920	888	Optimizesapp.exe	35
PID 888 wrote to memory of 920	888	Optimizesapp.exe	35
PID 888 wrote to memory of 920	888	Optimizesapp.exe	35
PID 888 wrote to memory of 920	888	Optimizesapp.exe	35
PID 888 wrote to memory of 920	888	Optimizesapp.exe	35
PID 920 wrote to memory of 2476	920	Optimizesapp.exe	36
PID 920 wrote to memory of 2476	920	Optimizesapp.exe	36
PID 920 wrote to memory of 2476	920	Optimizesapp.exe	36
PID 920 wrote to memory of 2476	920	Optimizesapp.exe	36
PID 2476 wrote to memory of 1708	2476	csc.exe	38
PID 2476 wrote to memory of 1708	2476	csc.exe	38
PID 2476 wrote to memory of 1708	2476	csc.exe	38
PID 2476 wrote to memory of 1708	2476	csc.exe	38

C:\Users\Admin\AppData\Local\Temp\67966a3b68b25438e90cd3d109dd5831_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\67966a3b68b25438e90cd3d109dd5831_JaffaCakes118.exe"
1⤵
- Modifies system certificate store
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1956
- C:\Windows\SysWOW64\cmd.exe
  "C:\Windows\System32\cmd.exe" /c copy "C:\Users\Admin\AppData\Local\Temp\67966a3b68b25438e90cd3d109dd5831_JaffaCakes118.exe" "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Optimizesapp.exe"
  2⤵
  PID:2512
- C:\Windows\SysWOW64\explorer.exe
  "C:\Windows\System32\explorer.exe" /c, "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Optimizesapp.exe"
  2⤵
  PID:1812

C:\Windows\explorer.exe
C:\Windows\explorer.exe /factory,{75dff2b7-6936-4c06-a8bb-676a7b00b24b} -Embedding
1⤵
- Suspicious use of WriteProcessMemory
PID:548
- C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Optimizesapp.exe
  "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Optimizesapp.exe"
  2⤵
  - Drops startup file
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of SetThreadContext
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:888
- - C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Optimizesapp.exe
    "C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Optimizesapp.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:920
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\rp7i9bjx.cmdline"
      4⤵
      Suspicious use of WriteProcessMemory
      PID:2476
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESE4E4.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCE4E3.tmp"
        5⤵
        
        PID:1708

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\378B079587A9184B2E2AB859CB263F40_524AD1B9B08D3C6450727265AE77B7D2

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C987C966D19B79B9D9F35B962FCC8FA

Filesize
604B

MD5
5a1ab1871c1dd0bbe715482943c74be6

SHA1
da4ce17e39abb581883120980f00a91cb029127c

SHA256
5fab31aa7540eaebb07d0315e540564b06d612b4b4eb3f2a645fd86a59e6b37c

SHA512
88d80e7ffc33aadb7e28363aad82f51e78bc09ef3ef193a7acb867c825bf633b04bb623796e699262c2f1b40f339bc5277b5520f17d87b2d1f6724288330545d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\8EB35376744F392396307460D546222D_DA4083211FC1CAD4C1215FF8726EF9C8

Filesize
1KB

MD5
2c28b249b0c08c7f397dd72e5fd345bf

SHA1
0494b5a4f44cb34d6e411e4fe1bcfb10e2a0fdfd

SHA256
f3fe4e8b4e7b074596654699ab00ce13ef6f18bf70750600294e326412d0ac20

SHA512
6137b469a8dba9d1a7041490d5a75050e76abefb0761e17b39706812e3e21af9ecac012e5063654966f783c945a5b5d7866845df11164382bc5d69d0e571822d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\378B079587A9184B2E2AB859CB263F40_524AD1B9B08D3C6450727265AE77B7D2

Filesize
394B

MD5
3084ee6f11a94ce09b23563ffd0a9495

SHA1
b98977d8f9a0a788ebb5abb864fc4d76c6e10be7

SHA256
c68202d64db12811107b275f78d0eef937ecc16459a5c02113ff2bc54a30a99b

SHA512
f81480ab80a3b9f80db2bdf85862c9fc9e5fc2b7135249588c782dbf5bc81b5f4c35d4e9b7a7b461433a7c4a61e2a14d7fb3cd0bd5a258a3fd9ddbfcfddf1ee1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C987C966D19B79B9D9F35B962FCC8FA

Filesize
184B

MD5
9437e791c1f18ee7928d9b9f3c7f7eb5

SHA1
cb52f7a7f3700c3a5b513903a896b478dcbdea31

SHA256
645ee11731f948fd073321240fbda0ea3e854241ec26c3ee10eead161545fdd2

SHA512
fae8c4f303e1b4df53ec2817359653adfe1d4fd22e776df8e842e0da5b97d1781a381b4cea81e6264bdd09be8c107bb7c8f48eabd0cc595e165fa5a0cbc2a830

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\8EB35376744F392396307460D546222D_DA4083211FC1CAD4C1215FF8726EF9C8

Filesize
402B

MD5
b8063ea50fa3d22a6af9c77db1340e25

SHA1
249a2b9abb82f1f065294aacebbe745c8cadd09d

SHA256
bd1647f02f3c9adc1fa73ae69354ca7de3fab4e883d50ca0964cd78a52d09a81

SHA512
4a3e5693799c8b0dd7be0a2c49c42c32cfa21fd8a1680f35c4e44e9742f7f6c570e840760bda975556be1f91f35e914386ce809439ef529074a78db0f511f7e9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
484597b2fc2873e6cc99a3c91e9b9ba4

SHA1
e47904a149690bc4d3adf9cb24f4c61a25244c7c

SHA256
b724f220e5a20104832dae6bf355be7cb71e46c394d494e767291503391f04fc

SHA512
cfa44f267e6a4f337f176a88536e639cef56ac2a82524f5763c599d78a2f22063b7fceb2d8060a48ef9d424aed9c895c42332b6374d64124f604a10daecd1831

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Optimizesapp.exe

Filesize
1.5MB

MD5
67966a3b68b25438e90cd3d109dd5831

SHA1
e721a74be529652701fe07ced4962f225f055366

SHA256
28fea3814d7605da249dca493eb491e1261e0a3a87ab2790328ed9b76bb6fe8a

SHA512
22df6e3862e27bae6eab8e109953b4a2214ce729dd1c9c7d3986a16eb3acc06940eece3efed076556eaf00f71a9541c33d2495c6ed397a65efada8c7d47070a6

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab208D.tmp

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESE4E4.tmp

Filesize
1KB

MD5
86afd5a61fc0c876336f372bd0e6b103

SHA1
e4b68ccb0d1a1664773a7f6f8409d536759997ff

SHA256
7b12ba883976fa073819c0562214a2daf5e597306e5965a35fa6052f69664c79

SHA512
5e9ce5038d232b80d0aadc7cd809431f561ce14b94fddccf7b5c97f44560264720621831ce50ad566200591ae4622c4b94cc0f7459da00d53b0fc2d19a85d0d3

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar2245.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
C:\Users\Admin\AppData\Local\Temp\rp7i9bjx.dll

Filesize
76KB

MD5
040f54a399f372192e429dd5ecaef609

SHA1
63fa98f869e6283e2b85252cfe4dd03f6ea18243

SHA256
494ddbf9f0722be4859339c28b537c351af9f2f3a313b99fb1ff51aecba98abc

SHA512
863add06ed5acacf947d2328b44637fde0be01362df2fd31eac7771cb604140fcef973207fc6937d579e56bdbc06610a22efe4eb548e4681af08a1d0dc8270fa

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\CSCE4E3.tmp

Filesize
676B

MD5
318d801f8990ba76e0707ebdfb49ffbe

SHA1
90e6f97a2da785ea33dae180ed18e94bb6ff71bb

SHA256
c033a27b346eaefb3280499390039d4461ff098b6a1447577ece02a68aafac7f

SHA512
16bd261b6c61b2650246b52c398a8cb232ae0450db6550b1de042f22d7ff8b4a00f932c945e5166360e0f8263e286052a9776ed9e7675991d55e3f5418315a49

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rp7i9bjx.0.cs

Filesize
208KB

MD5
5977b9a54b1c80cb7b1ddd2e9e2cf36b

SHA1
689e6f6743ba67cd4bc320f12eee5256aa7afb84

SHA256
f88dafac457c7e1e5194b8a9afadbd56f16f61e325dc198cdad3d8dfded009df

SHA512
7a03f792606c623ce4bf227c94a288649afc6f677bc7a06b5a3e164962544c395d44a7ff7bcea6951a36f764fb056f768e9a6a7ec6c442305ed0e7fe3a578407

Download Submit
\??\c:\Users\Admin\AppData\Local\Temp\rp7i9bjx.cmdline

Filesize
347B

MD5
b50cff09a774c69d11c75d0cacbfac53

SHA1
7fefa1f24b3e66e7e83c385d297f9f112d607913

SHA256
72ffc8323347d3862773db96431635e97d1cdfda8fb125538668040e69086592

SHA512
d6c86fece1a5ce466ce8b886f5b29587e6cdff4cbe593be4a3f45f89c256dd4ae3179f377ed8382bb7c2800667918acbc653749f842278ed16a34012ee20b433

Download Submit
memory/920-88-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/920-84-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/920-87-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/920-90-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/920-91-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/920-93-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/920-94-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/920-83-0x0000000000400000-0x00000000004E8000-memory.dmp

Filesize
928KB

Download
memory/1956-0-0x0000000073FF1000-0x0000000073FF2000-memory.dmp

Filesize
4KB

Download
memory/1956-1-0x0000000073FF0000-0x000000007459B000-memory.dmp

Filesize
5.7MB

Download
memory/1956-2-0x0000000073FF0000-0x000000007459B000-memory.dmp

Filesize
5.7MB

Download
memory/1956-60-0x0000000073FF0000-0x000000007459B000-memory.dmp

Filesize
5.7MB

Download
memory/1956-63-0x0000000073FF0000-0x000000007459B000-memory.dmp

Filesize
5.7MB

Download