darkcomet | 4fdecee78958b17a98fee1b0afa23d35bdf11b38bd543c8b66428bb149dd38c2

General

Target

f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
Size

1.0MB
MD5

f27bcaa1644a3d59b1dbfb38c5aa0d6c
SHA1

d19334e7313a329b264b1236c579136e7e4ea1b0
SHA256

4fdecee78958b17a98fee1b0afa23d35bdf11b38bd543c8b66428bb149dd38c2
SHA512

47096764fcb520594421fe10382739769c0b363fdb3922af52ab18fc6d77db5226bdf8358ff28c4a53f0ed4f87626c8593afa35fabafa083cbdb84a8dbaeccab
SSDEEP

12288:zUZsL8GPNmld8eiGb8f+F54+e6kT6D6BTqU8PfiVp+Xc9gw9z3UKhrhOniBkbdnL:gK3KF+wkP8UYs9NzkTmrRbaS0Vrdvr

Score

10^/10

darkcomet guest16 evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

C2

ultrafucker.no-ip.org:1604

Mutex

DC_MUTEX-XKL4MDM

Attributes

InstallPath
MSDCSC\svchost.exe
gencode
wBVkapugtdJz
install
true
offline_keylogger
true
persistence
true
reg_key
svchost

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

vbc.exevbc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\svchost.exe"	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\svchost.exe,C:\\Windows\\system32\\MSDCSC\\wBVkapugtdJz\\svchost.exe"	vbc.exe

Sets file to hidden 1 TTPs 4 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exe

pid process

2380 attrib.exe
584 attrib.exe
268 attrib.exe
580 attrib.exe
Executes dropped EXE 2 IoCs

Processes:

svchost.exesvchost.exe

pid process

1200 svchost.exe
2356 svchost.exe
Loads dropped DLL 2 IoCs

Processes:

vbc.exevbc.exe

pid process

2528 vbc.exe
1184 vbc.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
2380	attrib.exe
584	attrib.exe
268	attrib.exe
580	attrib.exe

pid	process
1200	svchost.exe
2356	svchost.exe

pid	process
2528	vbc.exe
1184	vbc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

vbc.exevbc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\MSDCSC\\svchost.exe"	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-778096762-2241304387-192235952-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\MSDCSC\\wBVkapugtdJz\\svchost.exe"	vbc.exe

Drops file in System32 directory 7 IoCs

Processes:

vbc.exevbc.exe

description	ioc	process
File created	C:\Windows\SysWOW64\MSDCSC\wBVkapugtdJz\svchost.exe	vbc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\wBVkapugtdJz\svchost.exe	vbc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	vbc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\wBVkapugtdJz\	vbc.exe
File created	C:\Windows\SysWOW64\MSDCSC\svchost.exe	vbc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\svchost.exe	vbc.exe
File created	C:\Windows\SysWOW64\MSDCSC\svchost.exe	vbc.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exef27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe

description	pid	process	target process
PID 2916 set thread context of 1184	2916	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe	vbc.exe
PID 2580 set thread context of 2528	2580	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe	vbc.exe

Drops file in Windows directory 4 IoCs

Processes:

attrib.exeattrib.exeattrib.exeattrib.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727	attrib.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exef27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe

pid	process
2916	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
2916	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
2916	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
2580	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
2580	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
2916	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
2580	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
2916	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
2916	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
2580	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
2580	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
2916	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
2916	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
2580	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
2580	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
2916	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
2916	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
2580	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
2580	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
2916	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
2916	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
2580	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
2580	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
2916	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
2916	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
2580	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
2580	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
2916	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
2916	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
2580	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
2580	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
2916	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
2916	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
2580	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
2580	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
2916	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
2916	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
2580	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
2580	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
2916	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
2916	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
2580	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
2580	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
2916	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
2916	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
2580	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
2580	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
2916	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
2916	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
2580	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
2580	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
2916	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
2916	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
2580	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
2580	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
2916	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
2916	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
2580	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
2580	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
2916	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
2916	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
2580	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
2580	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
2916	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exef27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exevbc.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	2916	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
Token: SeDebugPrivilege	2580	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2528	vbc.exe
Token: SeSecurityPrivilege	2528	vbc.exe
Token: SeTakeOwnershipPrivilege	2528	vbc.exe
Token: SeLoadDriverPrivilege	2528	vbc.exe
Token: SeSystemProfilePrivilege	2528	vbc.exe
Token: SeSystemtimePrivilege	2528	vbc.exe
Token: SeProfSingleProcessPrivilege	2528	vbc.exe
Token: SeIncBasePriorityPrivilege	2528	vbc.exe
Token: SeCreatePagefilePrivilege	2528	vbc.exe
Token: SeBackupPrivilege	2528	vbc.exe
Token: SeRestorePrivilege	2528	vbc.exe
Token: SeShutdownPrivilege	2528	vbc.exe
Token: SeDebugPrivilege	2528	vbc.exe
Token: SeSystemEnvironmentPrivilege	2528	vbc.exe
Token: SeChangeNotifyPrivilege	2528	vbc.exe
Token: SeRemoteShutdownPrivilege	2528	vbc.exe
Token: SeUndockPrivilege	2528	vbc.exe
Token: SeManageVolumePrivilege	2528	vbc.exe
Token: SeImpersonatePrivilege	2528	vbc.exe
Token: SeCreateGlobalPrivilege	2528	vbc.exe
Token: 33	2528	vbc.exe
Token: 34	2528	vbc.exe
Token: 35	2528	vbc.exe
Token: SeIncreaseQuotaPrivilege	1184	vbc.exe
Token: SeSecurityPrivilege	1184	vbc.exe
Token: SeTakeOwnershipPrivilege	1184	vbc.exe
Token: SeLoadDriverPrivilege	1184	vbc.exe
Token: SeSystemProfilePrivilege	1184	vbc.exe
Token: SeSystemtimePrivilege	1184	vbc.exe
Token: SeProfSingleProcessPrivilege	1184	vbc.exe
Token: SeIncBasePriorityPrivilege	1184	vbc.exe
Token: SeCreatePagefilePrivilege	1184	vbc.exe
Token: SeBackupPrivilege	1184	vbc.exe
Token: SeRestorePrivilege	1184	vbc.exe
Token: SeShutdownPrivilege	1184	vbc.exe
Token: SeDebugPrivilege	1184	vbc.exe
Token: SeSystemEnvironmentPrivilege	1184	vbc.exe
Token: SeChangeNotifyPrivilege	1184	vbc.exe
Token: SeRemoteShutdownPrivilege	1184	vbc.exe
Token: SeUndockPrivilege	1184	vbc.exe
Token: SeManageVolumePrivilege	1184	vbc.exe
Token: SeImpersonatePrivilege	1184	vbc.exe
Token: SeCreateGlobalPrivilege	1184	vbc.exe
Token: 33	1184	vbc.exe
Token: 34	1184	vbc.exe
Token: 35	1184	vbc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exef27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exevbc.exevbc.exe

description	pid	process	target process
PID 2916 wrote to memory of 2580	2916	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
PID 2916 wrote to memory of 2580	2916	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
PID 2916 wrote to memory of 2580	2916	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
PID 2916 wrote to memory of 2580	2916	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
PID 2916 wrote to memory of 1184	2916	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe	vbc.exe
PID 2916 wrote to memory of 1184	2916	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe	vbc.exe
PID 2916 wrote to memory of 1184	2916	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe	vbc.exe
PID 2916 wrote to memory of 1184	2916	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe	vbc.exe
PID 2916 wrote to memory of 1184	2916	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe	vbc.exe
PID 2916 wrote to memory of 1184	2916	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe	vbc.exe
PID 2580 wrote to memory of 2528	2580	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe	vbc.exe
PID 2580 wrote to memory of 2528	2580	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe	vbc.exe
PID 2580 wrote to memory of 2528	2580	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe	vbc.exe
PID 2580 wrote to memory of 2528	2580	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe	vbc.exe
PID 2580 wrote to memory of 2528	2580	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe	vbc.exe
PID 2916 wrote to memory of 1184	2916	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe	vbc.exe
PID 2916 wrote to memory of 1184	2916	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe	vbc.exe
PID 2580 wrote to memory of 2528	2580	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe	vbc.exe
PID 2916 wrote to memory of 1184	2916	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe	vbc.exe
PID 2916 wrote to memory of 1184	2916	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe	vbc.exe
PID 2916 wrote to memory of 1184	2916	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe	vbc.exe
PID 2916 wrote to memory of 1184	2916	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe	vbc.exe
PID 2916 wrote to memory of 1184	2916	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe	vbc.exe
PID 2916 wrote to memory of 1184	2916	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe	vbc.exe
PID 2916 wrote to memory of 1184	2916	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe	vbc.exe
PID 2580 wrote to memory of 2528	2580	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe	vbc.exe
PID 2580 wrote to memory of 2528	2580	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe	vbc.exe
PID 2580 wrote to memory of 2528	2580	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe	vbc.exe
PID 2580 wrote to memory of 2528	2580	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe	vbc.exe
PID 2580 wrote to memory of 2528	2580	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe	vbc.exe
PID 2580 wrote to memory of 2528	2580	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe	vbc.exe
PID 2580 wrote to memory of 2528	2580	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe	vbc.exe
PID 2580 wrote to memory of 2528	2580	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe	vbc.exe
PID 2580 wrote to memory of 2528	2580	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe	vbc.exe
PID 2528 wrote to memory of 2600	2528	vbc.exe	cmd.exe
PID 2528 wrote to memory of 2600	2528	vbc.exe	cmd.exe
PID 2528 wrote to memory of 2600	2528	vbc.exe	cmd.exe
PID 2528 wrote to memory of 2600	2528	vbc.exe	cmd.exe
PID 1184 wrote to memory of 2672	1184	vbc.exe	cmd.exe
PID 1184 wrote to memory of 2672	1184	vbc.exe	cmd.exe
PID 1184 wrote to memory of 2672	1184	vbc.exe	cmd.exe
PID 1184 wrote to memory of 2672	1184	vbc.exe	cmd.exe
PID 2528 wrote to memory of 2560	2528	vbc.exe	cmd.exe
PID 2528 wrote to memory of 2560	2528	vbc.exe	cmd.exe
PID 2528 wrote to memory of 2560	2528	vbc.exe	cmd.exe
PID 2528 wrote to memory of 2560	2528	vbc.exe	cmd.exe
PID 1184 wrote to memory of 2424	1184	vbc.exe	cmd.exe
PID 1184 wrote to memory of 2424	1184	vbc.exe	cmd.exe
PID 1184 wrote to memory of 2424	1184	vbc.exe	cmd.exe
PID 1184 wrote to memory of 2424	1184	vbc.exe	cmd.exe
PID 2528 wrote to memory of 2896	2528	vbc.exe	notepad.exe
PID 2528 wrote to memory of 2896	2528	vbc.exe	notepad.exe
PID 2528 wrote to memory of 2896	2528	vbc.exe	notepad.exe
PID 2528 wrote to memory of 2896	2528	vbc.exe	notepad.exe
PID 1184 wrote to memory of 2572	1184	vbc.exe	notepad.exe
PID 1184 wrote to memory of 2572	1184	vbc.exe	notepad.exe
PID 1184 wrote to memory of 2572	1184	vbc.exe	notepad.exe
PID 1184 wrote to memory of 2572	1184	vbc.exe	notepad.exe
PID 2528 wrote to memory of 2896	2528	vbc.exe	notepad.exe
PID 1184 wrote to memory of 2572	1184	vbc.exe	notepad.exe
PID 2528 wrote to memory of 2896	2528	vbc.exe	notepad.exe
PID 1184 wrote to memory of 2572	1184	vbc.exe	notepad.exe
PID 1184 wrote to memory of 2572	1184	vbc.exe	notepad.exe
PID 2528 wrote to memory of 2896	2528	vbc.exe	notepad.exe

Views/modifies file attributes 1 TTPs 4 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exeattrib.exeattrib.exe

pid process

580 attrib.exe
2380 attrib.exe
584 attrib.exe
268 attrib.exe

pid	process
580	attrib.exe
2380	attrib.exe
584	attrib.exe
268	attrib.exe

C:\Users\Admin\AppData\Local\Temp\f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2916

C:\Users\Admin\AppData\Local\Temp\f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2580

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
3⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2528

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h
4⤵
PID:2600

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h
5⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:580

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h
4⤵
PID:2560

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h
5⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:584

C:\Windows\SysWOW64\notepad.exe
notepad
4⤵
PID:2896

C:\Windows\SysWOW64\MSDCSC\svchost.exe
"C:\Windows\system32\MSDCSC\svchost.exe"
4⤵
- Executes dropped EXE
PID:1200

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
2⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1184

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h
3⤵
PID:2672

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h
4⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:2380

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h
3⤵
PID:2424

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h
4⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:268

C:\Windows\SysWOW64\notepad.exe
notepad
3⤵
PID:2572

C:\Windows\SysWOW64\MSDCSC\wBVkapugtdJz\svchost.exe
"C:\Windows\system32\MSDCSC\wBVkapugtdJz\svchost.exe"
3⤵
- Executes dropped EXE
PID:2356

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

1

T1064

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

2

T1112

Hide Artifacts

2

T1564

Hidden Files and Directories

Scripting

Credential Access

Discovery

System Information Discovery

1

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Windows\SysWOW64\MSDCSC\svchost.exe
Filesize
1.1MB

MD5
34aa912defa18c2c129f1e09d75c1d7e

SHA1
9c3046324657505a30ecd9b1fdb46c05bde7d470

SHA256
6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386

SHA512
d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

Download Submit
memory/1184-19-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1184-81-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1184-21-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/1184-6-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1184-8-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/1184-10-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2528-79-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2528-20-0x0000000000250000-0x0000000000251000-memory.dmp

Filesize
4KB

Download
memory/2528-12-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2580-5-0x0000000074B20000-0x00000000750CB000-memory.dmp

Filesize
5.7MB

Download
memory/2580-4-0x00000000022B0000-0x00000000022F0000-memory.dmp

Filesize
256KB

Download
memory/2580-3-0x0000000074B20000-0x00000000750CB000-memory.dmp

Filesize
5.7MB

Download
memory/2580-87-0x0000000074B20000-0x00000000750CB000-memory.dmp

Filesize
5.7MB

Download
memory/2580-88-0x00000000022B0000-0x00000000022F0000-memory.dmp

Filesize
256KB

Download
memory/2896-22-0x00000000000C0000-0x00000000000C1000-memory.dmp

Filesize
4KB

Download
memory/2896-64-0x0000000000300000-0x0000000000301000-memory.dmp

Filesize
4KB

Download
memory/2916-0-0x0000000074B20000-0x00000000750CB000-memory.dmp

Filesize
5.7MB

Download
memory/2916-2-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download
memory/2916-1-0x0000000074B20000-0x00000000750CB000-memory.dmp

Filesize
5.7MB

Download
memory/2916-85-0x0000000074B20000-0x00000000750CB000-memory.dmp

Filesize
5.7MB

Download
memory/2916-86-0x0000000000220000-0x0000000000260000-memory.dmp

Filesize
256KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads