81966a79010fb798795b7e255f14bedf00a2c94899fb30c29d4739590732cb9f

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
19/08/2024, 11:34

Sharing

Copy URL Twitter E-mail

Report Analysis Logs

General

Target

aad91b80b63a0cb9307e981a566370ea_JaffaCakes118.exe
Size

760KB
MD5

aad91b80b63a0cb9307e981a566370ea
SHA1

6e9e741b70639207f598248e1563be40ddcf9b33
SHA256

81966a79010fb798795b7e255f14bedf00a2c94899fb30c29d4739590732cb9f
SHA512

5a0c05fa3201ff7a054a161aac0828267ffc3be730cb662fee88e9e52c6802f3218351b450bb3881f915c21070f7371b8751c564c21dd1d9f312f53e8bb22b5d
SSDEEP

12288:8Iyv5dgpTH+ESb2os6HnOPo0VdfG1mIn0sSelRnlUZrHQcyDBCZfv:8Iyv5dgpTH+ESios6WJH6m0hl9lUtwzO

Score

7^/10

discovery

Malware Config

Signatures

Checks BIOS information in registry 2 TTPs 18 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	mirc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	aad91b80b63a0cb9307e981a566370ea_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	mirc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	mirc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	mirc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	mirc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	mirc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	mirc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	mirc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	mirc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	mirc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	aad91b80b63a0cb9307e981a566370ea_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	mirc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	mirc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	mirc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	mirc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	mirc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	mirc.exe

Executes dropped EXE 8 IoCs

pid	Process
2084	mirc.exe
3976	mirc.exe
1048	mirc.exe
3552	mirc.exe
3912	mirc.exe
5048	mirc.exe
4968	mirc.exe
4444	mirc.exe

Drops file in System32 directory 18 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\mirc.exe	mirc.exe
File created	C:\Windows\SysWOW64\mirc.exe	mirc.exe
File created	C:\Windows\SysWOW64\mirc.exe	mirc.exe
File opened for modification	C:\Windows\SysWOW64\mirc.exe	aad91b80b63a0cb9307e981a566370ea_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\mirc.exe	mirc.exe
File created	C:\Windows\SysWOW64\mirc.exe	mirc.exe
File opened for modification	C:\Windows\SysWOW64\mirc.exe	mirc.exe
File opened for modification	C:\Windows\SysWOW64\mirc.exe	mirc.exe
File opened for modification	C:\Windows\SysWOW64\mirc.exe	mirc.exe
File opened for modification	C:\Windows\SysWOW64\mirc.exe	mirc.exe
File created	C:\Windows\SysWOW64\mirc.exe	mirc.exe
File created	C:\Windows\SysWOW64\mirc.exe	aad91b80b63a0cb9307e981a566370ea_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\mirc.exe	mirc.exe
File opened for modification	C:\Windows\SysWOW64\mirc.exe	mirc.exe
File created	C:\Windows\SysWOW64\mirc.exe	mirc.exe
File opened for modification	C:\Windows\SysWOW64\mirc.exe	mirc.exe
File opened for modification	C:\Windows\SysWOW64\mirc.exe	mirc.exe
File created	C:\Windows\SysWOW64\mirc.exe	mirc.exe

System Location Discovery: System Language Discovery 1 TTPs 9 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mirc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mirc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mirc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mirc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	aad91b80b63a0cb9307e981a566370ea_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mirc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mirc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mirc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	mirc.exe

Modifies registry class 64 IoCs

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\Fpjoqlfosiy = "pXMblZ~^aTCqd{XBj\x7fiLxDkW^M"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\uocSseg = "WZBVFmUKhXbounynt_KGvGLYsKj"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\CzAcgwayhyb = "uZ]NZeqryUT}QUt`"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\lembyrHz = "u{fH\|Gifm^GHZT@xYUuVVd"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\smRdghVmvpw = "AV{RTKhEqnYBvMjmo]NaWe`"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\uocSseg = "WZBVFmUKhXbounynt_KGvGLYsKj"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\eaKFnekjsRl = "p"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\Fpjoqlfosiy = "pXMblZ~^aTCqd{XBj\x7fiLxDkW^M"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\lembyrHz = "u{VH\|Gifm]wHZT@xYUuVVd"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\lembyrHz = "u{FH\|Gifm]wHZT@xYUuVVd"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\CzAcgwayhyb = "uZ]NZUqryUTvw{A~"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\smRdghVmvpw = "AV{RTKhEqnYBvMjmnMNaWe`"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\smRdghVmvpw = "AV{RTKhEqnYBvMjmn]NaWe`"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\Dxgztzbq = "FU_FMlfgXi@iTMWm"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\gJewxqb = "H[bKBQe\\b_NiDxh}VB\\jnwhWy^KlFLf"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\smRdghVmvpw = "AV{RTKhEqnYBvMjmoMNaWe`"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\eaKFnekjsRl = "p"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\CzAcgwayhyb = "uZ]N[MqryUT{jj[^"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\smRdghVmvpw = "AV{RTKhEqnYBvMjmoMNaWe`"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\CzAcgwayhyb = "uZ]NY}qryUTYLYnb"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\lembyrHz = "uzFH\|Gifm]wHZT@xYUuVVd"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\smRdghVmvpw = "AV{RTKhEqnYBvMjmn]NaWe`"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\CzAcgwayhyb = "uZ]NYyqryUTuN\|Nm"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\Fpjoqlfosiy = "pXMblZ~^aTCqd{XBj\x7fiLxDkW^M"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\CzAcgwayhyb = "uZ]NZ]qryUT\x7f@\|{r"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\CzAcgwayhyb = "uZ]NYqqryUT\|y{ta"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\eaKFnekjsRl = "`"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\eaKFnekjsRl = "p"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\eaKFnekjsRl = "`"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\gJewxqb = "H[bKBQe\\b_NiDxh}VB\\jnwhWy^KlFLf"	mirc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}	aad91b80b63a0cb9307e981a566370ea_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\gJewxqb = "H[bKBQe\\b_NiDxh}VB\\jnwhWy^KlFLf"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\CzAcgwayhyb = "uZ]NZIqryUThpZ^o"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\smRdghVmvpw = "AV{STKhEULIBvMjmn}NaWe`"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\eaKFnekjsRl = "P"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\lembyrHz = "uzFH\|Gifm^GHZT@xYUuVVd"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\gJewxqb = "H[bKBQe\\b_NiDxh}VB\\jnwhWy^KlFLf"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\CzAcgwayhyb = "uZ]NZEqryUTzvP@X"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\gJewxqb = "H[bKBQe\\b_NiDxh}VB\\jnwhWy^KlFLf"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\smRdghVmvpw = "AV{RTKhEqnYBvMjmlmNaWe`"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\CzAcgwayhyb = "uZ]N[IqryUTWhO{Q"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\smRdghVmvpw = "AV{RTKhEqnYBvMjmomNaWe`"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\lembyrHz = "u{FH\|Gifm]wHZT@xYUuVVd"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\Fpjoqlfosiy = "pXMblZ~^aTCqd{XBj\x7fiLxDkW^M"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\smRdghVmvpw = "AV{RTKhEqnYBvMjmomNaWe`"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\Fpjoqlfosiy = "pXMblZ~^aTCqd{XBj\x7fiLxDkW^M"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\eaKFnekjsRl = "p"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\smRdghVmvpw = "AV{RTKhEqnYBvMjmo]NaWe`"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\eaKFnekjsRl = "@"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\CzAcgwayhyb = "uZ]N[aqryUTnKeqQ"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\CzAcgwayhyb = "uZ]NZiqryUT_T\\TK"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\Dxgztzbq = "FU_FMlfgXi@iTMWm"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\lembyrHz = "uxfH\|Gifm]wHZT@xYUuVVd"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\uocSseg = "WZBVFmUKhXbounynt_KGvGLYsKj"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\smRdghVmvpw = "AV{RTKhEqnYBvMjmo}NaWe`"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\lembyrHz = "uxvH\|Gifm]wHZT@xYUuVVd"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\CzAcgwayhyb = "uZ]NZaqryUTQSpTo"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\smRdghVmvpw = "AV{RTKhEqnYBvMjml}NaWe`"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\ = "Library Folder Context Menu"	aad91b80b63a0cb9307e981a566370ea_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\gJewxqb = "H[bKBQe\\b_NiDxh}VB\\jnwhWy^KlFLf"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\lembyrHz = "u{fH\|Gifm]wHZT@xYUuVVd"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\Fpjoqlfosiy = "pXMblZ~^aTCqd{XBj\x7fiLxDkW^M"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\Dxgztzbq = "FU_FMlfgXi@iTMWm"	mirc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{BD211730-848A-F6FE-25B7-CBFA4A410CDA}\gJewxqb = "H[bKBQe\\b_NiDxh}VB\\jnwhWy^KlFLf"	mirc.exe

NTFS ADS 9 IoCs

description	ioc	Process
File opened for modification	C:\ProgramData\TEMP:C980DA7D	mirc.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	mirc.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	mirc.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	mirc.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	mirc.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	mirc.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	mirc.exe
File created	C:\ProgramData\TEMP:C980DA7D	mirc.exe
File opened for modification	C:\ProgramData\TEMP:C980DA7D	mirc.exe

Suspicious use of AdjustPrivilegeToken 18 IoCs

description	pid	Process
Token: 33	1764	aad91b80b63a0cb9307e981a566370ea_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1764	aad91b80b63a0cb9307e981a566370ea_JaffaCakes118.exe
Token: 33	2084	mirc.exe
Token: SeIncBasePriorityPrivilege	2084	mirc.exe
Token: 33	3976	mirc.exe
Token: SeIncBasePriorityPrivilege	3976	mirc.exe
Token: 33	1048	mirc.exe
Token: SeIncBasePriorityPrivilege	1048	mirc.exe
Token: 33	3552	mirc.exe
Token: SeIncBasePriorityPrivilege	3552	mirc.exe
Token: 33	3912	mirc.exe
Token: SeIncBasePriorityPrivilege	3912	mirc.exe
Token: 33	5048	mirc.exe
Token: SeIncBasePriorityPrivilege	5048	mirc.exe
Token: 33	4968	mirc.exe
Token: SeIncBasePriorityPrivilege	4968	mirc.exe
Token: 33	4444	mirc.exe
Token: SeIncBasePriorityPrivilege	4444	mirc.exe

Suspicious use of WriteProcessMemory 24 IoCs

description	pid	Process	procid_target
PID 1764 wrote to memory of 2084	1764	aad91b80b63a0cb9307e981a566370ea_JaffaCakes118.exe	95
PID 1764 wrote to memory of 2084	1764	aad91b80b63a0cb9307e981a566370ea_JaffaCakes118.exe	95
PID 1764 wrote to memory of 2084	1764	aad91b80b63a0cb9307e981a566370ea_JaffaCakes118.exe	95
PID 2084 wrote to memory of 3976	2084	mirc.exe	98
PID 2084 wrote to memory of 3976	2084	mirc.exe	98
PID 2084 wrote to memory of 3976	2084	mirc.exe	98
PID 3976 wrote to memory of 1048	3976	mirc.exe	103
PID 3976 wrote to memory of 1048	3976	mirc.exe	103
PID 3976 wrote to memory of 1048	3976	mirc.exe	103
PID 1048 wrote to memory of 3552	1048	mirc.exe	106
PID 1048 wrote to memory of 3552	1048	mirc.exe	106
PID 1048 wrote to memory of 3552	1048	mirc.exe	106
PID 3552 wrote to memory of 3912	3552	mirc.exe	107
PID 3552 wrote to memory of 3912	3552	mirc.exe	107
PID 3552 wrote to memory of 3912	3552	mirc.exe	107
PID 3912 wrote to memory of 5048	3912	mirc.exe	112
PID 3912 wrote to memory of 5048	3912	mirc.exe	112
PID 3912 wrote to memory of 5048	3912	mirc.exe	112
PID 5048 wrote to memory of 4968	5048	mirc.exe	113
PID 5048 wrote to memory of 4968	5048	mirc.exe	113
PID 5048 wrote to memory of 4968	5048	mirc.exe	113
PID 4968 wrote to memory of 4444	4968	mirc.exe	117
PID 4968 wrote to memory of 4444	4968	mirc.exe	117
PID 4968 wrote to memory of 4444	4968	mirc.exe	117

C:\Users\Admin\AppData\Local\Temp\aad91b80b63a0cb9307e981a566370ea_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\aad91b80b63a0cb9307e981a566370ea_JaffaCakes118.exe"
1⤵
- Checks BIOS information in registry
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1764
- C:\Windows\SysWOW64\mirc.exe
  C:\Windows\system32\mirc.exe 1520 "C:\Users\Admin\AppData\Local\Temp\aad91b80b63a0cb9307e981a566370ea_JaffaCakes118.exe"
  2⤵
  - Checks BIOS information in registry
  - Executes dropped EXE
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2084
- - C:\Windows\SysWOW64\mirc.exe
    C:\Windows\system32\mirc.exe 1516 "C:\Windows\SysWOW64\mirc.exe"
    3⤵
    - Checks BIOS information in registry
    - Executes dropped EXE
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - NTFS ADS
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:3976
  - - C:\Windows\SysWOW64\mirc.exe
      C:\Windows\system32\mirc.exe 1492 "C:\Windows\SysWOW64\mirc.exe"
      4⤵
      Checks BIOS information in registry
      Executes dropped EXE
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      Modifies registry class
      NTFS ADS
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:1048
    - - C:\Windows\SysWOW64\mirc.exe
        
        C:\Windows\system32\mirc.exe 1528 "C:\Windows\SysWOW64\mirc.exe"
        5⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3552
      - C:\Windows\SysWOW64\mirc.exe
        
        C:\Windows\system32\mirc.exe 1540 "C:\Windows\SysWOW64\mirc.exe"
        6⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:3912
        
        C:\Windows\SysWOW64\mirc.exe
        
        C:\Windows\system32\mirc.exe 1536 "C:\Windows\SysWOW64\mirc.exe"
        7⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:5048
        
        C:\Windows\SysWOW64\mirc.exe
        
        C:\Windows\system32\mirc.exe 1508 "C:\Windows\SysWOW64\mirc.exe"
        8⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of WriteProcessMemory
        
        PID:4968
        
        C:\Windows\SysWOW64\mirc.exe
        
        C:\Windows\system32\mirc.exe 1548 "C:\Windows\SysWOW64\mirc.exe"
        9⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        
        PID:4444

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Privilege Escalation

Defense Evasion

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\TEMP:C980DA7D

Filesize
120B

MD5
0961346c4aa82872414779a9538ba407

SHA1
0367bd3e6fd72e65b270429555df75d9af8c9a78

SHA256
4be1555253980b941a3332506fb0915b832149af80d1acdbbec41a4e3e0fd1dc

SHA512
cef28df5e3b31a0eaf27cd6fbafe530debbc2c38140fdaf166767d6c01720bdbf729f85169b445d83d91acb2bbc66a4c678a1b6548797ee2b7b7c987507aebb4

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
120B

MD5
04ebf794aaccf17726f639e9d4d2c994

SHA1
86e3e6548a050fb3eb29ffc4457c8c8f327b0b2c

SHA256
c909b140d12080b160a7f946817565b8e4b1692fff5063a574ebd6ef6c8362ef

SHA512
ad012921edadeb9bd3708c46240d6e1ed26f411910fe54b06d03d62d8b7251e52e857735a29b4efd53cb211227737090d6c3f1b701e1e3dacdcdb8f286fed45f

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
120B

MD5
06cab684a75bae697cee4aa749ea8d54

SHA1
f57bd075b370933210fe12a74c18771bd6b1771f

SHA256
0c60609c47bd5f8dc20e74b6bb13d78dd1becd7f05619ba5aecc918fa10c1dfa

SHA512
fd1966d391fdd05ca5191ae80c7c95334cddb3d546949322fb48ba0bc69f4010365d8138ba62cebd5dce6f8a7d747751c95ea2e42cf1d7e0c5b5fa33ed633b95

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
120B

MD5
c9a9ce26b0d9d457dd5da8ffc6db6b03

SHA1
0482da6c9e718e412fd67a5ec2dfb92c150b2571

SHA256
957c712f8e6e32734bbab699288199ca4fb304b7b1fa562b0cfff5b90de07e7a

SHA512
f968ef3b05f0e0ba7b8bb3e9d8bc234bbebbb4f11c900e9942973b31edca659cb17a8e1d12b2d5ee4b8d547268b8c729bd0da16c9b672a08718220426689ceaa

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
120B

MD5
4cdabead0fb3c05f441e955e0133e525

SHA1
3b103c74ee0451aebfc118bb1973e17f0e9e529e

SHA256
7ac4131b42fc0a03f806bcef5242781dd105a6bcaacc42f06731b3401c71e858

SHA512
d4007ecb2551cf6a2aca6f4f9977d607a871ae5cd767d8310e35b14505713854079fac066b27d02f46b3c4964ff1b432b4167695366a8ba89eeaf4b10e3bff02

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
120B

MD5
75075afdb1787724209995938a2001eb

SHA1
d6152009a442aec1e5d9e47cbf6506874a983585

SHA256
7ad764ac615e93db69ed35fe810ee437253b1e9d84994c50ef0dfcb571365485

SHA512
b95eb72b736cb9d43e9e014bf28cc79bf78e27572faee4caa0669661eeb4b75fe54ca26ec5096f5cd623ebaf9c1077a8f5c0c46938d27a0ce2f8e5feb33b6f1d

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
120B

MD5
439400c3b3ad02c2fc03ac06c2bde118

SHA1
17c5bf6b69eb6850ae239d0e5d79da94ca4492f4

SHA256
bd30756c99228c42d5f7a369ae9b88361b827be51cc0472beb2c56cccfaf9780

SHA512
44454b5d624d7ddb36782117b81d6a2e4cda7ee2e64783db109993ec4d52f2dfc5f6d95f8fb32ee1d589a41bc0920545d32447b1d85a0b2da9401e266e409449

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
120B

MD5
473b6907522572ef1b74423034803a59

SHA1
4001548a0c8690ba769cab1d96afca56d15f8815

SHA256
e0d88220a23a2934882cfaf264c1cc4deb4d186adaf7b4194f5af3d30589ff1e

SHA512
8fd9e33fffc8d1e09d8ad3b78da96fc1f6a8b97741bbd0a3191ef9fe752d21db29b17460c15968d646e551225f0c7507bee36c0ca3b70d70f1989512258e925c

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
120B

MD5
52b8c406974f8d6d22fdd98f086278f4

SHA1
ae1723035e085c495fcb2ac508ca182fb2fff545

SHA256
2b115e3d5260a599ecc3d62c6a2bcab97949952ed0dd22e2d52a2370898c08e4

SHA512
d0874d6ea836bc2a755dc83f4028ff62a75d57e6fc89a4d98991189dce0122b606217ef828bb3d108c07e5805442d02557b3c07e5116f5ba5656fd334f15e2da

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
120B

MD5
91c7f0a5f9a5de95709aae97d4c6af82

SHA1
f0ad6cbf485dd975ff7f7a686951fdc7ad637647

SHA256
e29cc81788763341b4ca9ee79932f469945252572e03b488d5060c5297d85396

SHA512
0f8bc96bcf1d5b1c76820f96250c7d6ba89db0ea3a8c64411422cb38c683f4c26993e6a08131da00de6dec797dcdc07c9b78a819ebc0888525e0b7a95681e7fd

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
120B

MD5
aef0631f46bd81c10d0f877ba451a209

SHA1
8f347def714996d6eba6f2440ecc4425c5ad889c

SHA256
3b392be826ce8acc42b4ea6364c60255986f99dc3c2e23bd3d203be75e6260f2

SHA512
1c30df0ca8343f19a2b740bd88d77fa41f76adb1f44494e80b7ce79f68ca54befb3cfd951bf5eb0531c51a573e516a4563dd00245b4e886edab2538c5b901d08

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
120B

MD5
13b8e8b89a3bb4955e39ac84e135d3ef

SHA1
337ae8bcbb49341e5882945cc68fea72f05fcf59

SHA256
cd063eda196c8d3be3359fa95fb83bee8956baddab15e5dae75405a89d6c7562

SHA512
a7839695527967cbf78d5329d012fc4dd9d88da45e2e0a2a95580e1b8dcba606653b19d7d81ad240540e00b49d94a45ca1128b740da2ad22c094523fe5b9d0ec

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
120B

MD5
e544b06d76b8b656f6297e3135eb2b03

SHA1
46f990a63d6d3fbfea0c121745638c9f6438a80f

SHA256
6ca13e21e867bb7d3715058634b39eda780234f2e512bc7f4ef4f9913165850f

SHA512
66ca169a59701dd97fbc6eae98fcd1253b7c125096e47f6c9935355b1d8ef96471415d47ec3d202466aa02c587fa03eb8caa1ee6fdbcf8bbb4e1dab9cdd80332

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
120B

MD5
2d666340e68090203f768b298a20bcbb

SHA1
01a5f5ba4781903e8d5e45c6f138e504382602ab

SHA256
fb7faedadf307c3cd9989426cb5381da7cbf697d21a4f9ff659e5f36a1672acf

SHA512
be63fb7321bb9e172a0316118c8da61ce11ac5a9681ae3b937d73b56eb964205f5fb7e3a492deb8f783c6b7aa20fa39aadc1969b5b1521a1bfb56b779a7ed9dc

Download Submit
C:\ProgramData\TEMP:C980DA7D

Filesize
120B

MD5
28e8d938cca6969d122f35090ec93a7b

SHA1
9e3685f9b1f9e1f772df600e13b292fb76ec9023

SHA256
5b5ed3303f74e588f0e22440e3505dd5f41be6d14d50fe1ccae7a7bf7c305d67

SHA512
86848a5b94b0a74610d39825a55f6a669e2acc470ebd85f8faa6008b51434acbb8715b1a54714f75f14f729174645de1764cdcf44e9bb4b45bdb27a2e02c79bf

Download Submit
C:\Windows\SysWOW64\mirc.exe

Filesize
760KB

MD5
aad91b80b63a0cb9307e981a566370ea

SHA1
6e9e741b70639207f598248e1563be40ddcf9b33

SHA256
81966a79010fb798795b7e255f14bedf00a2c94899fb30c29d4739590732cb9f

SHA512
5a0c05fa3201ff7a054a161aac0828267ffc3be730cb662fee88e9e52c6802f3218351b450bb3881f915c21070f7371b8751c564c21dd1d9f312f53e8bb22b5d

Download Submit
memory/1048-67-0x00000000006E0000-0x0000000000769000-memory.dmp

Filesize
548KB

Download
memory/1048-84-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/1048-89-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/1048-87-0x00000000006E0000-0x0000000000769000-memory.dmp

Filesize
548KB

Download
memory/1048-86-0x00000000006E0000-0x0000000000769000-memory.dmp

Filesize
548KB

Download
memory/1048-83-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/1048-81-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/1048-82-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/1048-104-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/1048-85-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/1764-2-0x0000000002060000-0x00000000020E9000-memory.dmp

Filesize
548KB

Download
memory/1764-11-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/1764-9-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/1764-12-0x0000000002060000-0x00000000020E9000-memory.dmp

Filesize
548KB

Download
memory/1764-8-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/1764-27-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/1764-0-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/1764-7-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/1764-10-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/1764-25-0x0000000002060000-0x00000000020E9000-memory.dmp

Filesize
548KB

Download
memory/2084-33-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/2084-20-0x0000000002140000-0x00000000021C9000-memory.dmp

Filesize
548KB

Download
memory/2084-34-0x0000000002140000-0x00000000021C9000-memory.dmp

Filesize
548KB

Download
memory/2084-32-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/2084-31-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/2084-53-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/2084-51-0x0000000002140000-0x00000000021C9000-memory.dmp

Filesize
548KB

Download
memory/2084-30-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/2084-37-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/2084-35-0x0000000002140000-0x00000000021C9000-memory.dmp

Filesize
548KB

Download
memory/2084-29-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/3552-131-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/3552-92-0x00000000020C0000-0x0000000002149000-memory.dmp

Filesize
548KB

Download
memory/3552-116-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/3912-158-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/3912-143-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/3976-64-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/3976-57-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/3976-75-0x0000000002140000-0x00000000021C9000-memory.dmp

Filesize
548KB

Download
memory/3976-56-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/3976-78-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/3976-58-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/3976-61-0x0000000002140000-0x00000000021C9000-memory.dmp

Filesize
548KB

Download
memory/3976-62-0x0000000002140000-0x00000000021C9000-memory.dmp

Filesize
548KB

Download
memory/3976-60-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/3976-59-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/4444-224-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/4968-197-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/4968-212-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/5048-185-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download
memory/5048-170-0x0000000000400000-0x0000000000583000-memory.dmp

Filesize
1.5MB

Download