darkcomet | 4fdecee78958b17a98fee1b0afa23d35bdf11b38bd543c8b66428bb149dd38c2

Processes:

vbc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\svchost.exe"	vbc.exe

Modifies firewall policy service 2 TTPs 3 IoCs

evasion

Modify Registry

Windows Service

T1543.003

Processes:

vbc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	vbc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	vbc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	vbc.exe

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Windows Service
T1543.003

Processes:

vbc.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" vbc.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	vbc.exe

Windows security bypass 2 TTPs 2 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

Processes:

vbc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	vbc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	vbc.exe

Disables RegEdit via registry modification 1 IoCs

evasion

Processes:

vbc.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	vbc.exe

Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

4868 attrib.exe
380 attrib.exe

pid	process
4868	attrib.exe
380	attrib.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\Control Panel\International\Geo\Nation	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe

Executes dropped EXE 2 IoCs

Processes:

f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exesvchost.exe

pid process

4772 f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
5080 svchost.exe
Uses the VBS compiler for execution 1 TTPs

Scripting
T1064

pid	process
4772	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
5080	svchost.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

Processes:

vbc.exevbc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\MSDCSC\\svchost.exe"	vbc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3198953144-1466794930-246379610-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Windows\\system32\\MSDCSC\\svchost.exe"	vbc.exe

Drops file in System32 directory 3 IoCs

Processes:

vbc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	vbc.exe
File created	C:\Windows\SysWOW64\MSDCSC\svchost.exe	vbc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\svchost.exe	vbc.exe

Suspicious use of SetThreadContext 3 IoCs

Processes:

f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exef27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exevbc.exe

description	pid	process	target process
PID 3516 set thread context of 4188	3516	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe	vbc.exe
PID 4772 set thread context of 3852	4772	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe	vbc.exe
PID 3852 set thread context of 5044	3852	vbc.exe	iexplore.exe

Drops file in Windows directory 2 IoCs

Processes:

attrib.exeattrib.exe

description	ioc	process
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727	attrib.exe
File opened for modification	C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe	attrib.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

vbc.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vbc.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	vbc.exe

Suspicious behavior: EnumeratesProcesses 64 IoCs

Processes:

f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exef27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe

pid	process
3516	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
3516	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
3516	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
3516	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
4772	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
4772	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
4772	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
3516	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
3516	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
4772	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
4772	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
3516	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
3516	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
4772	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
4772	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
3516	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
3516	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
4772	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
4772	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
3516	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
3516	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
4772	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
4772	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
3516	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
3516	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
4772	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
4772	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
3516	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
3516	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
4772	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
4772	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
3516	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
3516	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
4772	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
4772	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
3516	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
3516	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
4772	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
4772	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
3516	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
3516	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
4772	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
4772	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
3516	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
3516	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
4772	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
4772	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
3516	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
3516	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
4772	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
4772	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
3516	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
3516	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
4772	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
4772	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
3516	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
3516	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
4772	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
4772	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
3516	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
3516	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
4772	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
4772	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
3516	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe

Suspicious use of AdjustPrivilegeToken 50 IoCs

Processes:

f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exevbc.exef27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exevbc.exe

description	pid	process
Token: SeDebugPrivilege	3516	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	4188	vbc.exe
Token: SeSecurityPrivilege	4188	vbc.exe
Token: SeTakeOwnershipPrivilege	4188	vbc.exe
Token: SeLoadDriverPrivilege	4188	vbc.exe
Token: SeSystemProfilePrivilege	4188	vbc.exe
Token: SeSystemtimePrivilege	4188	vbc.exe
Token: SeProfSingleProcessPrivilege	4188	vbc.exe
Token: SeIncBasePriorityPrivilege	4188	vbc.exe
Token: SeCreatePagefilePrivilege	4188	vbc.exe
Token: SeBackupPrivilege	4188	vbc.exe
Token: SeRestorePrivilege	4188	vbc.exe
Token: SeShutdownPrivilege	4188	vbc.exe
Token: SeDebugPrivilege	4188	vbc.exe
Token: SeSystemEnvironmentPrivilege	4188	vbc.exe
Token: SeChangeNotifyPrivilege	4188	vbc.exe
Token: SeRemoteShutdownPrivilege	4188	vbc.exe
Token: SeUndockPrivilege	4188	vbc.exe
Token: SeManageVolumePrivilege	4188	vbc.exe
Token: SeImpersonatePrivilege	4188	vbc.exe
Token: SeCreateGlobalPrivilege	4188	vbc.exe
Token: 33	4188	vbc.exe
Token: 34	4188	vbc.exe
Token: 35	4188	vbc.exe
Token: 36	4188	vbc.exe
Token: SeDebugPrivilege	4772	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	3852	vbc.exe
Token: SeSecurityPrivilege	3852	vbc.exe
Token: SeTakeOwnershipPrivilege	3852	vbc.exe
Token: SeLoadDriverPrivilege	3852	vbc.exe
Token: SeSystemProfilePrivilege	3852	vbc.exe
Token: SeSystemtimePrivilege	3852	vbc.exe
Token: SeProfSingleProcessPrivilege	3852	vbc.exe
Token: SeIncBasePriorityPrivilege	3852	vbc.exe
Token: SeCreatePagefilePrivilege	3852	vbc.exe
Token: SeBackupPrivilege	3852	vbc.exe
Token: SeRestorePrivilege	3852	vbc.exe
Token: SeShutdownPrivilege	3852	vbc.exe
Token: SeDebugPrivilege	3852	vbc.exe
Token: SeSystemEnvironmentPrivilege	3852	vbc.exe
Token: SeChangeNotifyPrivilege	3852	vbc.exe
Token: SeRemoteShutdownPrivilege	3852	vbc.exe
Token: SeUndockPrivilege	3852	vbc.exe
Token: SeManageVolumePrivilege	3852	vbc.exe
Token: SeImpersonatePrivilege	3852	vbc.exe
Token: SeCreateGlobalPrivilege	3852	vbc.exe
Token: 33	3852	vbc.exe
Token: 34	3852	vbc.exe
Token: 35	3852	vbc.exe
Token: 36	3852	vbc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exef27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exevbc.exevbc.execmd.execmd.exe

description	pid	process	target process
PID 3516 wrote to memory of 4188	3516	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe	vbc.exe
PID 3516 wrote to memory of 4188	3516	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe	vbc.exe
PID 3516 wrote to memory of 4188	3516	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe	vbc.exe
PID 3516 wrote to memory of 4188	3516	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe	vbc.exe
PID 3516 wrote to memory of 4188	3516	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe	vbc.exe
PID 3516 wrote to memory of 4188	3516	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe	vbc.exe
PID 3516 wrote to memory of 4188	3516	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe	vbc.exe
PID 3516 wrote to memory of 4188	3516	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe	vbc.exe
PID 3516 wrote to memory of 4188	3516	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe	vbc.exe
PID 3516 wrote to memory of 4188	3516	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe	vbc.exe
PID 3516 wrote to memory of 4188	3516	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe	vbc.exe
PID 3516 wrote to memory of 4188	3516	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe	vbc.exe
PID 3516 wrote to memory of 4188	3516	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe	vbc.exe
PID 3516 wrote to memory of 4188	3516	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe	vbc.exe
PID 3516 wrote to memory of 4772	3516	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
PID 3516 wrote to memory of 4772	3516	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
PID 3516 wrote to memory of 4772	3516	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
PID 4772 wrote to memory of 3852	4772	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe	vbc.exe
PID 4772 wrote to memory of 3852	4772	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe	vbc.exe
PID 4772 wrote to memory of 3852	4772	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe	vbc.exe
PID 4772 wrote to memory of 3852	4772	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe	vbc.exe
PID 4772 wrote to memory of 3852	4772	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe	vbc.exe
PID 4772 wrote to memory of 3852	4772	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe	vbc.exe
PID 4772 wrote to memory of 3852	4772	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe	vbc.exe
PID 4772 wrote to memory of 3852	4772	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe	vbc.exe
PID 4772 wrote to memory of 3852	4772	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe	vbc.exe
PID 4772 wrote to memory of 3852	4772	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe	vbc.exe
PID 4772 wrote to memory of 3852	4772	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe	vbc.exe
PID 4772 wrote to memory of 3852	4772	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe	vbc.exe
PID 4772 wrote to memory of 3852	4772	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe	vbc.exe
PID 4772 wrote to memory of 3852	4772	f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe	vbc.exe
PID 4188 wrote to memory of 2132	4188	vbc.exe	cmd.exe
PID 4188 wrote to memory of 2132	4188	vbc.exe	cmd.exe
PID 4188 wrote to memory of 2132	4188	vbc.exe	cmd.exe
PID 4188 wrote to memory of 3084	4188	vbc.exe	cmd.exe
PID 4188 wrote to memory of 3084	4188	vbc.exe	cmd.exe
PID 4188 wrote to memory of 3084	4188	vbc.exe	cmd.exe
PID 4188 wrote to memory of 4484	4188	vbc.exe	notepad.exe
PID 4188 wrote to memory of 4484	4188	vbc.exe	notepad.exe
PID 4188 wrote to memory of 4484	4188	vbc.exe	notepad.exe
PID 4188 wrote to memory of 4484	4188	vbc.exe	notepad.exe
PID 4188 wrote to memory of 4484	4188	vbc.exe	notepad.exe
PID 4188 wrote to memory of 4484	4188	vbc.exe	notepad.exe
PID 4188 wrote to memory of 4484	4188	vbc.exe	notepad.exe
PID 4188 wrote to memory of 4484	4188	vbc.exe	notepad.exe
PID 4188 wrote to memory of 4484	4188	vbc.exe	notepad.exe
PID 4188 wrote to memory of 4484	4188	vbc.exe	notepad.exe
PID 4188 wrote to memory of 4484	4188	vbc.exe	notepad.exe
PID 4188 wrote to memory of 4484	4188	vbc.exe	notepad.exe
PID 4188 wrote to memory of 4484	4188	vbc.exe	notepad.exe
PID 4188 wrote to memory of 4484	4188	vbc.exe	notepad.exe
PID 4188 wrote to memory of 4484	4188	vbc.exe	notepad.exe
PID 4188 wrote to memory of 4484	4188	vbc.exe	notepad.exe
PID 4188 wrote to memory of 4484	4188	vbc.exe	notepad.exe
PID 3852 wrote to memory of 5044	3852	vbc.exe	iexplore.exe
PID 3852 wrote to memory of 5044	3852	vbc.exe	iexplore.exe
PID 3852 wrote to memory of 5044	3852	vbc.exe	iexplore.exe
PID 3852 wrote to memory of 5044	3852	vbc.exe	iexplore.exe
PID 3852 wrote to memory of 5044	3852	vbc.exe	iexplore.exe
PID 3084 wrote to memory of 4868	3084	cmd.exe	attrib.exe
PID 3084 wrote to memory of 4868	3084	cmd.exe	attrib.exe
PID 3084 wrote to memory of 4868	3084	cmd.exe	attrib.exe
PID 2132 wrote to memory of 380	2132	cmd.exe	attrib.exe
PID 2132 wrote to memory of 380	2132	cmd.exe	attrib.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

4868 attrib.exe
380 attrib.exe

pid	process
4868	attrib.exe
380	attrib.exe

C:\Users\Admin\AppData\Local\Temp\f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3516

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
2⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4188

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h
3⤵
- Suspicious use of WriteProcessMemory
PID:2132

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h
4⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:380

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h
3⤵
- Suspicious use of WriteProcessMemory
PID:3084

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h
4⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:4868

C:\Windows\SysWOW64\notepad.exe
notepad
3⤵
PID:4484

C:\Windows\SysWOW64\MSDCSC\svchost.exe
"C:\Windows\system32\MSDCSC\svchost.exe"
3⤵
- Executes dropped EXE
PID:5080

C:\Users\Admin\AppData\Local\Temp\f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\f27bcaa1644a3d59b1dbfb38c5aa0d6c_JaffaCakes118.exe"
2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4772

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
3⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3852

C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
4⤵
PID:5044

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Scripting

T1064

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

5

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Hide Artifacts

T1564

Hidden Files and Directories

Scripting

Credential Access

Discovery

Query Registry

T1012

System Information Discovery