Analysis
-
max time kernel
150s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
16-04-2024 02:33
Static task
static1
Behavioral task
behavioral1
Sample
f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
-
Size
1.0MB
-
MD5
f27bcaa1644a3d59b1dbfb38c5aa0d6c
-
SHA1
d19334e7313a329b264b1236c579136e7e4ea1b0
-
SHA256
4fdecee78958b17a98fee1b0afa23d35bdf11b38bd543c8b66428bb149dd38c2
-
SHA512
47096764fcb520594421fe10382739769c0b363fdb3922af52ab18fc6d77db5226bdf8358ff28c4a53f0ed4f87626c8593afa35fabafa083cbdb84a8dbaeccab
-
SSDEEP
12288:zUZsL8GPNmld8eiGb8f+F54+e6kT6D6BTqU8PfiVp+Xc9gw9z3UKhrhOniBkbdnL:gK3KF+wkP8UYs9NzkTmrRbaS0Vrdvr
Malware Config
Extracted
darkcomet
Guest16
ultrafucker.no-ip.org:1604
DC_MUTEX-XKL4MDM
-
InstallPath
MSDCSC\svchost.exe
-
gencode
wBVkapugtdJz
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
svchost
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
vbc.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\svchost.exe" vbc.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
vbc.exedescription ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile vbc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" vbc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" vbc.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
vbc.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" vbc.exe -
Processes:
vbc.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" vbc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" vbc.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
vbc.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" vbc.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid Process 4868 attrib.exe 380 attrib.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\Control Panel\International\Geo\Nation f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
Processes:
f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exesvchost.exepid Process 4772 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 5080 svchost.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
vbc.exevbc.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\MSDCSC\\svchost.exe" vbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\MSDCSC\\svchost.exe" vbc.exe -
Drops file in System32 directory 3 IoCs
Processes:
vbc.exedescription ioc Process File opened for modification C:\Windows\SysWOW64\MSDCSC\ vbc.exe File created C:\Windows\SysWOW64\MSDCSC\svchost.exe vbc.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\svchost.exe vbc.exe -
Suspicious use of SetThreadContext 3 IoCs
Processes:
f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exef27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exevbc.exedescription pid Process procid_target PID 3516 set thread context of 4188 3516 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 89 PID 4772 set thread context of 3852 4772 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 91 PID 3852 set thread context of 5044 3852 vbc.exe 97 -
Drops file in Windows directory 2 IoCs
Processes:
attrib.exeattrib.exedescription ioc Process File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727 attrib.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe attrib.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
vbc.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vbc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exef27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exepid Process 3516 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 3516 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 3516 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 3516 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 4772 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 4772 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 4772 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 3516 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 3516 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 4772 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 4772 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 3516 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 3516 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 4772 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 4772 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 3516 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 3516 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 4772 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 4772 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 3516 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 3516 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 4772 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 4772 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 3516 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 3516 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 4772 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 4772 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 3516 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 3516 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 4772 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 4772 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 3516 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 3516 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 4772 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 4772 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 3516 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 3516 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 4772 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 4772 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 3516 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 3516 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 4772 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 4772 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 3516 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 3516 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 4772 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 4772 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 3516 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 3516 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 4772 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 4772 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 3516 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 3516 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 4772 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 4772 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 3516 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 3516 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 4772 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 4772 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 3516 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 3516 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 4772 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 4772 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 3516 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 50 IoCs
Processes:
f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exevbc.exef27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exevbc.exedescription pid Process Token: SeDebugPrivilege 3516 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 4188 vbc.exe Token: SeSecurityPrivilege 4188 vbc.exe Token: SeTakeOwnershipPrivilege 4188 vbc.exe Token: SeLoadDriverPrivilege 4188 vbc.exe Token: SeSystemProfilePrivilege 4188 vbc.exe Token: SeSystemtimePrivilege 4188 vbc.exe Token: SeProfSingleProcessPrivilege 4188 vbc.exe Token: SeIncBasePriorityPrivilege 4188 vbc.exe Token: SeCreatePagefilePrivilege 4188 vbc.exe Token: SeBackupPrivilege 4188 vbc.exe Token: SeRestorePrivilege 4188 vbc.exe Token: SeShutdownPrivilege 4188 vbc.exe Token: SeDebugPrivilege 4188 vbc.exe Token: SeSystemEnvironmentPrivilege 4188 vbc.exe Token: SeChangeNotifyPrivilege 4188 vbc.exe Token: SeRemoteShutdownPrivilege 4188 vbc.exe Token: SeUndockPrivilege 4188 vbc.exe Token: SeManageVolumePrivilege 4188 vbc.exe Token: SeImpersonatePrivilege 4188 vbc.exe Token: SeCreateGlobalPrivilege 4188 vbc.exe Token: 33 4188 vbc.exe Token: 34 4188 vbc.exe Token: 35 4188 vbc.exe Token: 36 4188 vbc.exe Token: SeDebugPrivilege 4772 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 3852 vbc.exe Token: SeSecurityPrivilege 3852 vbc.exe Token: SeTakeOwnershipPrivilege 3852 vbc.exe Token: SeLoadDriverPrivilege 3852 vbc.exe Token: SeSystemProfilePrivilege 3852 vbc.exe Token: SeSystemtimePrivilege 3852 vbc.exe Token: SeProfSingleProcessPrivilege 3852 vbc.exe Token: SeIncBasePriorityPrivilege 3852 vbc.exe Token: SeCreatePagefilePrivilege 3852 vbc.exe Token: SeBackupPrivilege 3852 vbc.exe Token: SeRestorePrivilege 3852 vbc.exe Token: SeShutdownPrivilege 3852 vbc.exe Token: SeDebugPrivilege 3852 vbc.exe Token: SeSystemEnvironmentPrivilege 3852 vbc.exe Token: SeChangeNotifyPrivilege 3852 vbc.exe Token: SeRemoteShutdownPrivilege 3852 vbc.exe Token: SeUndockPrivilege 3852 vbc.exe Token: SeManageVolumePrivilege 3852 vbc.exe Token: SeImpersonatePrivilege 3852 vbc.exe Token: SeCreateGlobalPrivilege 3852 vbc.exe Token: 33 3852 vbc.exe Token: 34 3852 vbc.exe Token: 35 3852 vbc.exe Token: 36 3852 vbc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exef27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exevbc.exevbc.execmd.execmd.exedescription pid Process procid_target PID 3516 wrote to memory of 4188 3516 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 89 PID 3516 wrote to memory of 4188 3516 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 89 PID 3516 wrote to memory of 4188 3516 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 89 PID 3516 wrote to memory of 4188 3516 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 89 PID 3516 wrote to memory of 4188 3516 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 89 PID 3516 wrote to memory of 4188 3516 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 89 PID 3516 wrote to memory of 4188 3516 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 89 PID 3516 wrote to memory of 4188 3516 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 89 PID 3516 wrote to memory of 4188 3516 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 89 PID 3516 wrote to memory of 4188 3516 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 89 PID 3516 wrote to memory of 4188 3516 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 89 PID 3516 wrote to memory of 4188 3516 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 89 PID 3516 wrote to memory of 4188 3516 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 89 PID 3516 wrote to memory of 4188 3516 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 89 PID 3516 wrote to memory of 4772 3516 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 90 PID 3516 wrote to memory of 4772 3516 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 90 PID 3516 wrote to memory of 4772 3516 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 90 PID 4772 wrote to memory of 3852 4772 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 91 PID 4772 wrote to memory of 3852 4772 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 91 PID 4772 wrote to memory of 3852 4772 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 91 PID 4772 wrote to memory of 3852 4772 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 91 PID 4772 wrote to memory of 3852 4772 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 91 PID 4772 wrote to memory of 3852 4772 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 91 PID 4772 wrote to memory of 3852 4772 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 91 PID 4772 wrote to memory of 3852 4772 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 91 PID 4772 wrote to memory of 3852 4772 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 91 PID 4772 wrote to memory of 3852 4772 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 91 PID 4772 wrote to memory of 3852 4772 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 91 PID 4772 wrote to memory of 3852 4772 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 91 PID 4772 wrote to memory of 3852 4772 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 91 PID 4772 wrote to memory of 3852 4772 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe 91 PID 4188 wrote to memory of 2132 4188 vbc.exe 92 PID 4188 wrote to memory of 2132 4188 vbc.exe 92 PID 4188 wrote to memory of 2132 4188 vbc.exe 92 PID 4188 wrote to memory of 3084 4188 vbc.exe 93 PID 4188 wrote to memory of 3084 4188 vbc.exe 93 PID 4188 wrote to memory of 3084 4188 vbc.exe 93 PID 4188 wrote to memory of 4484 4188 vbc.exe 94 PID 4188 wrote to memory of 4484 4188 vbc.exe 94 PID 4188 wrote to memory of 4484 4188 vbc.exe 94 PID 4188 wrote to memory of 4484 4188 vbc.exe 94 PID 4188 wrote to memory of 4484 4188 vbc.exe 94 PID 4188 wrote to memory of 4484 4188 vbc.exe 94 PID 4188 wrote to memory of 4484 4188 vbc.exe 94 PID 4188 wrote to memory of 4484 4188 vbc.exe 94 PID 4188 wrote to memory of 4484 4188 vbc.exe 94 PID 4188 wrote to memory of 4484 4188 vbc.exe 94 PID 4188 wrote to memory of 4484 4188 vbc.exe 94 PID 4188 wrote to memory of 4484 4188 vbc.exe 94 PID 4188 wrote to memory of 4484 4188 vbc.exe 94 PID 4188 wrote to memory of 4484 4188 vbc.exe 94 PID 4188 wrote to memory of 4484 4188 vbc.exe 94 PID 4188 wrote to memory of 4484 4188 vbc.exe 94 PID 4188 wrote to memory of 4484 4188 vbc.exe 94 PID 3852 wrote to memory of 5044 3852 vbc.exe 97 PID 3852 wrote to memory of 5044 3852 vbc.exe 97 PID 3852 wrote to memory of 5044 3852 vbc.exe 97 PID 3852 wrote to memory of 5044 3852 vbc.exe 97 PID 3852 wrote to memory of 5044 3852 vbc.exe 97 PID 3084 wrote to memory of 4868 3084 cmd.exe 99 PID 3084 wrote to memory of 4868 3084 cmd.exe 99 PID 3084 wrote to memory of 4868 3084 cmd.exe 99 PID 2132 wrote to memory of 380 2132 cmd.exe 101 PID 2132 wrote to memory of 380 2132 cmd.exe 101 -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid Process 4868 attrib.exe 380 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3516 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4188 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
PID:2132 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h4⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:380
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h3⤵
- Suspicious use of WriteProcessMemory
PID:3084 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h4⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:4868
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵PID:4484
-
-
C:\Windows\SysWOW64\MSDCSC\svchost.exe"C:\Windows\system32\MSDCSC\svchost.exe"3⤵
- Executes dropped EXE
PID:5080
-
-
-
C:\Users\Admin\AppData\Local\Temp\f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4772 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe3⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3852 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"4⤵PID:5044
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD5f27bcaa1644a3d59b1dbfb38c5aa0d6c
SHA1d19334e7313a329b264b1236c579136e7e4ea1b0
SHA2564fdecee78958b17a98fee1b0afa23d35bdf11b38bd543c8b66428bb149dd38c2
SHA51247096764fcb520594421fe10382739769c0b363fdb3922af52ab18fc6d77db5226bdf8358ff28c4a53f0ed4f87626c8593afa35fabafa083cbdb84a8dbaeccab
-
Filesize
1.1MB
MD5d881de17aa8f2e2c08cbb7b265f928f9
SHA108936aebc87decf0af6e8eada191062b5e65ac2a
SHA256b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0
SHA5125f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34