darkcomet | 7dbcc8ab214c297785e7fd297c88851d830630fdfb02bf437f29840231e3fa19

Analysis

max time kernel
150s
max time network
153s
platform
windows7_x64
resource
win7-20240221-en
resource tags

arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system
submitted
26/04/2024, 13:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

00d9a5e024a10ea49259a0cc5524f12b_JaffaCakes118.exe
Size

337KB
MD5

00d9a5e024a10ea49259a0cc5524f12b
SHA1

fb4c2578b54dccdae91cb547835893f9fe028ce1
SHA256

7dbcc8ab214c297785e7fd297c88851d830630fdfb02bf437f29840231e3fa19
SHA512

1e54b692e092247b79e503b29e81fff35cf3d670a4606e977ab9a329e87233aa6652678b28e46f8bda2d0064621d46a0dbd9aff3b6e584801f2797ff4d7d2337
SSDEEP

6144:qcNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL377Kf2D/Ix6GiC66A:qcW7KEZlPzCy377Kxx6rCi

Score

10^/10

darkcomet ramnit gmrprd banker evasion persistence rat spyware stealer trojan upx worm

Malware Config

Extracted

Family

darkcomet

Botnet

gmrprd

gmrprd.ddns.net:1337

Mutex

DC_MUTEX-TXKG4FS

Attributes

InstallPath
WINDOWS.exe
gencode
M8SFD01grWQc
install
true
offline_keylogger
true
persistence
true
reg_key
Windows

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\WINDOWS.exe"	00d9a5e024a10ea49259a0cc5524f12b_JaffaCakes118.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4"	WINDOWS.exe

Ramnit
Ramnit is a versatile family that holds viruses, worms, and Trojans.
trojan spyware stealer worm banker ramnit

Executes dropped EXE 4 IoCs

pid	Process
2228	00d9a5e024a10ea49259a0cc5524f12b_JaffaCakes118Srv.exe
2860	DesktopLayer.exe
2460	WINDOWS.exe
1952	WINDOWSSrv.exe

Loads dropped DLL 8 IoCs

pid	Process
2020	00d9a5e024a10ea49259a0cc5524f12b_JaffaCakes118.exe
2020	00d9a5e024a10ea49259a0cc5524f12b_JaffaCakes118.exe
2228	00d9a5e024a10ea49259a0cc5524f12b_JaffaCakes118Srv.exe
2228	00d9a5e024a10ea49259a0cc5524f12b_JaffaCakes118Srv.exe
2020	00d9a5e024a10ea49259a0cc5524f12b_JaffaCakes118.exe
2020	00d9a5e024a10ea49259a0cc5524f12b_JaffaCakes118.exe
2460	WINDOWS.exe
2460	WINDOWS.exe

UPX packed file 24 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2020-0-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/2228-18-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/2228-13-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/2860-33-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/files/0x0008000000014708-35.dat	upx
behavioral1/memory/2020-37-0x0000000005550000-0x0000000005625000-memory.dmp	upx
behavioral1/memory/2460-44-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/1952-60-0x0000000000400000-0x0000000000413000-memory.dmp	upx
behavioral1/memory/2020-54-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/2460-576-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/2460-577-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/2460-579-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/2460-580-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/2460-581-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/2460-582-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/2460-583-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/2460-1064-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/2460-1065-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/2460-1066-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/2460-1067-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/2460-1068-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/2460-1069-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/2460-1070-0x0000000000400000-0x00000000004D5000-memory.dmp	upx
behavioral1/memory/2460-1071-0x0000000000400000-0x00000000004D5000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Windows\\system32\\WINDOWS.exe"	00d9a5e024a10ea49259a0cc5524f12b_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\Windows\\system32\\WINDOWS.exe"	WINDOWS.exe

Drops file in System32 directory 4 IoCs

description	ioc	Process
File created	C:\Windows\SysWOW64\WINDOWS.exe	00d9a5e024a10ea49259a0cc5524f12b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\WINDOWS.exe	00d9a5e024a10ea49259a0cc5524f12b_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\	00d9a5e024a10ea49259a0cc5524f12b_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\WINDOWSSrv.exe	WINDOWS.exe

Drops file in Program Files directory 5 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Microsoft\px1ED6.tmp	00d9a5e024a10ea49259a0cc5524f12b_JaffaCakes118Srv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	00d9a5e024a10ea49259a0cc5524f12b_JaffaCakes118Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	00d9a5e024a10ea49259a0cc5524f12b_JaffaCakes118Srv.exe
File opened for modification	C:\Program Files (x86)\Microsoft\px206C.tmp	WINDOWSSrv.exe
File created	C:\Program Files (x86)\Microsoft\DesktopLayer.exe	WINDOWSSrv.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies Internet Explorer settings 1 TTPs 30 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "420299216"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{18AA9201-03CF-11EF-A8CB-6EAD7206CC74} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe

Suspicious behavior: EnumeratesProcesses 8 IoCs

pid	Process
2860	DesktopLayer.exe
2860	DesktopLayer.exe
2860	DesktopLayer.exe
2860	DesktopLayer.exe
1952	WINDOWSSrv.exe
1952	WINDOWSSrv.exe
1952	WINDOWSSrv.exe
1952	WINDOWSSrv.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2020	00d9a5e024a10ea49259a0cc5524f12b_JaffaCakes118.exe
Token: SeSecurityPrivilege	2020	00d9a5e024a10ea49259a0cc5524f12b_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2020	00d9a5e024a10ea49259a0cc5524f12b_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2020	00d9a5e024a10ea49259a0cc5524f12b_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	2020	00d9a5e024a10ea49259a0cc5524f12b_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2020	00d9a5e024a10ea49259a0cc5524f12b_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	2020	00d9a5e024a10ea49259a0cc5524f12b_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2020	00d9a5e024a10ea49259a0cc5524f12b_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	2020	00d9a5e024a10ea49259a0cc5524f12b_JaffaCakes118.exe
Token: SeBackupPrivilege	2020	00d9a5e024a10ea49259a0cc5524f12b_JaffaCakes118.exe
Token: SeRestorePrivilege	2020	00d9a5e024a10ea49259a0cc5524f12b_JaffaCakes118.exe
Token: SeShutdownPrivilege	2020	00d9a5e024a10ea49259a0cc5524f12b_JaffaCakes118.exe
Token: SeDebugPrivilege	2020	00d9a5e024a10ea49259a0cc5524f12b_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	2020	00d9a5e024a10ea49259a0cc5524f12b_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	2020	00d9a5e024a10ea49259a0cc5524f12b_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	2020	00d9a5e024a10ea49259a0cc5524f12b_JaffaCakes118.exe
Token: SeUndockPrivilege	2020	00d9a5e024a10ea49259a0cc5524f12b_JaffaCakes118.exe
Token: SeManageVolumePrivilege	2020	00d9a5e024a10ea49259a0cc5524f12b_JaffaCakes118.exe
Token: SeImpersonatePrivilege	2020	00d9a5e024a10ea49259a0cc5524f12b_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	2020	00d9a5e024a10ea49259a0cc5524f12b_JaffaCakes118.exe
Token: 33	2020	00d9a5e024a10ea49259a0cc5524f12b_JaffaCakes118.exe
Token: 34	2020	00d9a5e024a10ea49259a0cc5524f12b_JaffaCakes118.exe
Token: 35	2020	00d9a5e024a10ea49259a0cc5524f12b_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2460	WINDOWS.exe
Token: SeSecurityPrivilege	2460	WINDOWS.exe
Token: SeTakeOwnershipPrivilege	2460	WINDOWS.exe
Token: SeLoadDriverPrivilege	2460	WINDOWS.exe
Token: SeSystemProfilePrivilege	2460	WINDOWS.exe
Token: SeSystemtimePrivilege	2460	WINDOWS.exe
Token: SeProfSingleProcessPrivilege	2460	WINDOWS.exe
Token: SeIncBasePriorityPrivilege	2460	WINDOWS.exe
Token: SeCreatePagefilePrivilege	2460	WINDOWS.exe
Token: SeBackupPrivilege	2460	WINDOWS.exe
Token: SeRestorePrivilege	2460	WINDOWS.exe
Token: SeShutdownPrivilege	2460	WINDOWS.exe
Token: SeDebugPrivilege	2460	WINDOWS.exe
Token: SeSystemEnvironmentPrivilege	2460	WINDOWS.exe
Token: SeChangeNotifyPrivilege	2460	WINDOWS.exe
Token: SeRemoteShutdownPrivilege	2460	WINDOWS.exe
Token: SeUndockPrivilege	2460	WINDOWS.exe
Token: SeManageVolumePrivilege	2460	WINDOWS.exe
Token: SeImpersonatePrivilege	2460	WINDOWS.exe
Token: SeCreateGlobalPrivilege	2460	WINDOWS.exe
Token: 33	2460	WINDOWS.exe
Token: 34	2460	WINDOWS.exe
Token: 35	2460	WINDOWS.exe

Suspicious use of FindShellTrayWindow 2 IoCs

pid	Process
1996	iexplore.exe
1996	iexplore.exe

Suspicious use of SetWindowsHookEx 11 IoCs

pid	Process
1996	iexplore.exe
1996	iexplore.exe
2440	IEXPLORE.EXE
2440	IEXPLORE.EXE
1996	iexplore.exe
1996	iexplore.exe
2460	WINDOWS.exe
2812	IEXPLORE.EXE
2812	IEXPLORE.EXE
2812	IEXPLORE.EXE
2812	IEXPLORE.EXE

Suspicious use of UnmapMainImage 3 IoCs

pid	Process
2228	00d9a5e024a10ea49259a0cc5524f12b_JaffaCakes118Srv.exe
2860	DesktopLayer.exe
1952	WINDOWSSrv.exe

Suspicious use of WriteProcessMemory 55 IoCs

description	pid	Process	procid_target
PID 2020 wrote to memory of 2228	2020	00d9a5e024a10ea49259a0cc5524f12b_JaffaCakes118.exe	28
PID 2020 wrote to memory of 2228	2020	00d9a5e024a10ea49259a0cc5524f12b_JaffaCakes118.exe	28
PID 2020 wrote to memory of 2228	2020	00d9a5e024a10ea49259a0cc5524f12b_JaffaCakes118.exe	28
PID 2020 wrote to memory of 2228	2020	00d9a5e024a10ea49259a0cc5524f12b_JaffaCakes118.exe	28
PID 2228 wrote to memory of 2860	2228	00d9a5e024a10ea49259a0cc5524f12b_JaffaCakes118Srv.exe	29
PID 2228 wrote to memory of 2860	2228	00d9a5e024a10ea49259a0cc5524f12b_JaffaCakes118Srv.exe	29
PID 2228 wrote to memory of 2860	2228	00d9a5e024a10ea49259a0cc5524f12b_JaffaCakes118Srv.exe	29
PID 2228 wrote to memory of 2860	2228	00d9a5e024a10ea49259a0cc5524f12b_JaffaCakes118Srv.exe	29
PID 2860 wrote to memory of 1996	2860	DesktopLayer.exe	30
PID 2860 wrote to memory of 1996	2860	DesktopLayer.exe	30
PID 2860 wrote to memory of 1996	2860	DesktopLayer.exe	30
PID 2860 wrote to memory of 1996	2860	DesktopLayer.exe	30
PID 1996 wrote to memory of 2440	1996	iexplore.exe	31
PID 1996 wrote to memory of 2440	1996	iexplore.exe	31
PID 1996 wrote to memory of 2440	1996	iexplore.exe	31
PID 1996 wrote to memory of 2440	1996	iexplore.exe	31
PID 2020 wrote to memory of 2460	2020	00d9a5e024a10ea49259a0cc5524f12b_JaffaCakes118.exe	32
PID 2020 wrote to memory of 2460	2020	00d9a5e024a10ea49259a0cc5524f12b_JaffaCakes118.exe	32
PID 2020 wrote to memory of 2460	2020	00d9a5e024a10ea49259a0cc5524f12b_JaffaCakes118.exe	32
PID 2020 wrote to memory of 2460	2020	00d9a5e024a10ea49259a0cc5524f12b_JaffaCakes118.exe	32
PID 2460 wrote to memory of 1952	2460	WINDOWS.exe	33
PID 2460 wrote to memory of 1952	2460	WINDOWS.exe	33
PID 2460 wrote to memory of 1952	2460	WINDOWS.exe	33
PID 2460 wrote to memory of 1952	2460	WINDOWS.exe	33
PID 1952 wrote to memory of 2976	1952	WINDOWSSrv.exe	34
PID 1952 wrote to memory of 2976	1952	WINDOWSSrv.exe	34
PID 1952 wrote to memory of 2976	1952	WINDOWSSrv.exe	34
PID 1952 wrote to memory of 2976	1952	WINDOWSSrv.exe	34
PID 1996 wrote to memory of 2812	1996	iexplore.exe	36
PID 1996 wrote to memory of 2812	1996	iexplore.exe	36
PID 1996 wrote to memory of 2812	1996	iexplore.exe	36
PID 1996 wrote to memory of 2812	1996	iexplore.exe	36
PID 2460 wrote to memory of 2848	2460	WINDOWS.exe	35
PID 2460 wrote to memory of 2848	2460	WINDOWS.exe	35
PID 2460 wrote to memory of 2848	2460	WINDOWS.exe	35
PID 2460 wrote to memory of 2848	2460	WINDOWS.exe	35
PID 2460 wrote to memory of 2848	2460	WINDOWS.exe	35
PID 2460 wrote to memory of 2848	2460	WINDOWS.exe	35
PID 2460 wrote to memory of 2848	2460	WINDOWS.exe	35
PID 2460 wrote to memory of 2848	2460	WINDOWS.exe	35
PID 2460 wrote to memory of 2848	2460	WINDOWS.exe	35
PID 2460 wrote to memory of 2848	2460	WINDOWS.exe	35
PID 2460 wrote to memory of 2848	2460	WINDOWS.exe	35
PID 2460 wrote to memory of 2848	2460	WINDOWS.exe	35
PID 2460 wrote to memory of 2848	2460	WINDOWS.exe	35
PID 2460 wrote to memory of 2848	2460	WINDOWS.exe	35
PID 2460 wrote to memory of 2848	2460	WINDOWS.exe	35
PID 2460 wrote to memory of 2848	2460	WINDOWS.exe	35
PID 2460 wrote to memory of 2848	2460	WINDOWS.exe	35
PID 2460 wrote to memory of 2848	2460	WINDOWS.exe	35
PID 2460 wrote to memory of 2848	2460	WINDOWS.exe	35
PID 2460 wrote to memory of 2848	2460	WINDOWS.exe	35
PID 2460 wrote to memory of 2848	2460	WINDOWS.exe	35
PID 2460 wrote to memory of 2848	2460	WINDOWS.exe	35
PID 2460 wrote to memory of 2848	2460	WINDOWS.exe	35

C:\Users\Admin\AppData\Local\Temp\00d9a5e024a10ea49259a0cc5524f12b_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\00d9a5e024a10ea49259a0cc5524f12b_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2020
- C:\Users\Admin\AppData\Local\Temp\00d9a5e024a10ea49259a0cc5524f12b_JaffaCakes118Srv.exe
  C:\Users\Admin\AppData\Local\Temp\00d9a5e024a10ea49259a0cc5524f12b_JaffaCakes118Srv.exe
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - Suspicious use of UnmapMainImage
  - Suspicious use of WriteProcessMemory
  PID:2228
- - C:\Program Files (x86)\Microsoft\DesktopLayer.exe
    "C:\Program Files (x86)\Microsoft\DesktopLayer.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:2860
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:1996
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1996 CREDAT:275457 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2440
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1996 CREDAT:537602 /prefetch:2
        5⤵
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2812
- C:\Windows\SysWOW64\WINDOWS.exe
  "C:\Windows\system32\WINDOWS.exe"
  2⤵
  - Modifies security service
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2460
- - C:\Windows\SysWOW64\WINDOWSSrv.exe
    C:\Windows\SysWOW64\WINDOWSSrv.exe
    3⤵
    - Executes dropped EXE
    - Drops file in Program Files directory
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of UnmapMainImage
    - Suspicious use of WriteProcessMemory
    PID:1952
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      PID:2976
- - C:\Windows\SysWOW64\notepad.exe
    notepad
    3⤵
    PID:2848

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

Filesize
68KB

MD5
29f65ba8e88c063813cc50a4ea544e93

SHA1
05a7040d5c127e68c25d81cc51271ffb8bef3568

SHA256
1ed81fa8dfb6999a9fedc6e779138ffd99568992e22d300acd181a6d2c8de184

SHA512
e29b2e92c496245bed3372578074407e8ef8882906ce10c35b3c8deebfefe01b5fd7f3030acaa693e175f4b7aca6cd7d8d10ae1c731b09c5fa19035e005de3aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
90c541b18a4777e45f9a905935e62f30

SHA1
1a9ea94710970eb41442db30aecf84ae714b9bc7

SHA256
7051f708cec37fd69fc08737e5870c256474cb769c400d81ccbffb5c90686c88

SHA512
a0e1aa7b4722ae1ddccc1dda288731cbb93d90b1fed52937b2bb6aa64507782ee6461739d983f86cd20cf66386a934f1fa28903a579a05a9c60944c63fd27acc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
629364a650f88bb18503b885b603b034

SHA1
53b8257bb833399f9dabba7fac46f8576e4c167c

SHA256
68e000204359f42e3077e7ecd71c77b2fd62d7772e66ce59ecd7d82fe7191171

SHA512
efed0e439fe79b70d0a376ee5596363d3802b896918c69331f81886f75ff9771e41da3b79a7d3eecf8faac9eb378e187787fc7ea7f392a0859f49f5dfe592b74

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
dcc5f5cc2b9f7325bc040a0ac72d6f07

SHA1
6627686c2262b97ac97d3c655989dacadf8fedaf

SHA256
cda6281c362dedd3fc3c5f3eb1d971e0ec3781c7ed223408cec87e2dfc22f46a

SHA512
9e67441112d5ea782eeefcdcc6e69a47b5f2cf248a044838c4433e1f4bf0600d49873ffbcfc0eaf17d3b382f9a63c505054e5afb07e51f44959de9c13ef59380

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0e0ce7216c2b92cb2852d0542945bf93

SHA1
e0b50e320ecd669e037f9acbae3a570e5fd259b3

SHA256
be262adc7f9c41f55c93279e0b7aa28bb47d9570ba89ef11ee301f6a5bb10a94

SHA512
a593f64fb881e0bd98334d6fceee13985bdfc5e215bfc6b73731ac13cf11f9d308a5f1b76957c2c16c0e820ad61999a9986ed19e398e1c8e8beb241070619301

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a819dcc1abf779fadeb5a009f54e8a5c

SHA1
da6f9047f6ae7f3d5f3f61eab39dad740cd74686

SHA256
77d546b764b031f18faef8805a9ea53a4703ef21537c71e6a3493bde594fea9c

SHA512
b541db6f40f18c3a3d25177c4af9080aa55ba29fae92f5a1baef2c9d4cea9037337c4ebb7f0c6ea28519e40b7b2d3488ee3417a9c7b5aff629cd8a0a837e428c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
0e8b87812eadbf09bd8bd5e0a8a4da19

SHA1
353cd074c9cae858c293142d17fc3e3b805e608a

SHA256
b4c87bccacab3aeac67b569a4de2f6c82bce006eba338246e420ed4e1f19db80

SHA512
6bc55a1aa0380ddb0ce13c913b5e72f780f99628ac9c263b6659552bad9f15c58f5f054c1827a0763ad321e1f82197b66a2b76ca896c0432b729bc4ef4b29880

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
7d7d6629d8f402743e6c8d5cd39b62c0

SHA1
f9d9ac132537947f8c0419de9dbab57c2e9f5d0b

SHA256
4699d5d73e9a55c069c2e3aab3b050b8aec537325b99eb96e66db288e2b57e8f

SHA512
7711fdbf73d407e053ddc5cd65cf2ae9e5068afc37a17b5cafd2e00338d721f960da5395eb4420b0f17d52067154109cf10e5418a3da6b121d0b5fc06105d46c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4023ba375338503eb54c49913d7cc72b

SHA1
a937306efa2419ec1be5263f76b04b3d1bce14ae

SHA256
74d9afebe7922d45ac8e3645510fecdfa8dfd9d0a1562d2db7327047f527016d

SHA512
f8718ec2c96ef911d364ab993ffdab13f777186ec083d008d506a6d6b98cc9c8de31306a749c7418b17fc954ee133d2dd1480c5c64d323725c46ac08562cda48

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
b776489ed2c6925ecb0b40e5053914e6

SHA1
5e09bb2c42e12d905dd0e1c51e5fbf89d1473e14

SHA256
471f7f29f7783058e798a816f685250e20a28709a49d0edfb9c0e120bc0345df

SHA512
3c500e8d2721649d43c38f7f1020a84d0b617ab3d17693e3097f74667022c08aacd1821270e3d9511eb5846d0fb8accd06cee6ab4a4302d2296e0b9b913da63b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
696ba7a0c48a315e593a9d3b6a43ad3e

SHA1
df98217c01d5e40612e2a57a0bbd059106549c12

SHA256
f4f89e744067f340b95f16758d1ffcfda6b6c916625b1c296764f0ade928c8f0

SHA512
db9184686a884d98970eab803ae534c973b4b251acc2aa30d586d1c3f4da5c3be0be29060cff3f24b10720ae67e6b008ed1a17b8b22e44c1a27897b6d6b3723d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
34a305c35389b41e68233d6ee629a048

SHA1
6f91a0c87d1bd0024e2bafc452ffb58834950e23

SHA256
e055fcba0576b0d706b56bef2725c7bd6571eec033713fac2a5da63dea046e4e

SHA512
f743f5d824c43f2d98f49fa734b9224bcc0b66128ec6b14779f245f390f78aff6f391706bef3cb117109049d70f0afb22458afa453d85387cb5dfe09f80264af

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
eb614a6f7e39d876e095376186ebac0d

SHA1
fa2f2a5926fc8368f058d337cbe1ec1b04113f93

SHA256
4f6b30760f2c870758ea72bff1212d3c10316e704077735f6a03859be5934510

SHA512
e27546485bb6b95001096deec0ffd37a9a3d300f90bbaea06a0b94765b1a6c2dde0e13dd3dfd0c2aa6b822ac99e1f1ca6e855e9803d29ac60049a6f338f57ddc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
27ee2ce416fd3499a39176a9cd888ee3

SHA1
9efa40b6ec644dc1cb4bfa2cd76299dfffb9207e

SHA256
60dbfeb5171e8f8edea82cb9a5e7807c4556d00984a3cc2049ec2fd03e9fe2bf

SHA512
081e9c9cf1048d3950a79ea234bef5b62512de06d2991b67dd9954e14d4982505fa99bc19dd9721cf944e63798dba285f06a8a9c4c2ce07cfd74adda5c931e5b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
a7b0fb8834bc11ef35d690269f87532f

SHA1
7bb6e93b3e6918c37f8825c310cf6f117ae4b5d6

SHA256
93788c322092f6017e6ca3c277ca0968167c23c9ee1f625def7358cad9822a0e

SHA512
562e1cb2c486f567b7f15d6e75c6f8c11466f11115ac45dda818495cb37537eea72850ddfde5878caeaa636a0ed3d5bec36bd50dd4253ac585b68f89d393e2be

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
4224390de05260ac2f9326e233359697

SHA1
056657de2f55c5e47715f081e89a564604a31424

SHA256
a43a631dc6687e08af1323b8ab4ba9076ddf4b9a596a449ed46e4af7f1bd4665

SHA512
259bc7527f9c902d148c57c8f5b9197ece643c752a06751e3e7b33e62085c22c1c44f5c4efb8812b32628d518eb1dc4d00d66a1b979b78c585a305a26f8b74dc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
046a34b15414e6cbbe3265daeff92333

SHA1
2ad40db6afc104ddbd84d8912dd5dca627620ed3

SHA256
fc5a17f82e84e51d7b2c016b8165fdf81b3ad1e7cac5f128d094508f65bb46b8

SHA512
b75adb7df21e4dae29b015f672889f8ed5aa458dd63a1b5dd99a197f3c429954389c41b4ca5931bdb611e21c36bc3ff41992f90c80502de9bfe788bc386c41bc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
939b2a40d5d8b45ad403803a7aa95739

SHA1
149ec25a6ad44e83a1d449c713d47f695a7940c9

SHA256
8ba865017d7e92aec7e82a739daf6945fb1ebc898924d97e04d3ba014252ecdc

SHA512
fe53cda9ea3c2ea95b6696434a7ac749981fdaf63bbd7b564f39fef6e0461e1076f9774fd6dc3ea7142a10f7a0bcba2a5411f2b94ef9993d628170bb9cd3d712

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
dc3ad4f903c2500d22844afc40ab8a65

SHA1
460bc3dc0e641f46feab3f2da6a7bc2e9087e4c2

SHA256
188d5b913f529809c9daed5c1b7185c97c6cd1f4240997d9e9a7c9d99cf76676

SHA512
48444dfa39ab611ad8c15b71ed82bf98c1b365d9142b7678a44b7524fef351f8124a31cac1de3b974cb0808192bb909745296a420d62f9b2c66a08777846382e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
344B

MD5
dcafa983bcd72b78a0702f4734a71be8

SHA1
8c3528b58d4342707172d6bed78b406b2ca61701

SHA256
9a850e702e00e9eb9aa40910a773b46b2bb5b9508439523bd957e35977f55ab5

SHA512
e87cf441bbf1c85e32362ab4c26563a8c8f483994336cfd1ee7a2a0a24038b98cc91bce8047a00111abeda320608936504cf8a8b9ccb3cb7e762c922de4aff2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab367C.tmp

Filesize
65KB

MD5
ac05d27423a85adc1622c714f2cb6184

SHA1
b0fe2b1abddb97837ea0195be70ab2ff14d43198

SHA256
c6456e12e5e53287a547af4103e0397cb9697e466cf75844312dc296d43d144d

SHA512
6d0ef9050e41fbae680e0e59dd0f90b6ac7fea5579ef5708b69d5da33a0ece7e8b16574b58b17b64a34cc34a4ffc22b4a62c1ece61f36c4a11a0665e0536b90d

Download Submit
C:\Users\Admin\AppData\Local\Temp\Tar376F.tmp

Filesize
177KB

MD5
435a9ac180383f9fa094131b173a2f7b

SHA1
76944ea657a9db94f9a4bef38f88c46ed4166983

SHA256
67dc37ed50b8e63272b49a254a6039ee225974f1d767bb83eb1fd80e759a7c34

SHA512
1a6b277611959720a9c71114957620517ad94541302f164eb872bd322292a952409bafb8bc2ac793b16ad5f25d83f8594ccff2b7834e3c2b2b941e6fc84c009a

Download Submit
\Users\Admin\AppData\Local\Temp\00d9a5e024a10ea49259a0cc5524f12b_JaffaCakes118Srv.exe

Filesize
52KB

MD5
17efb7e40d4cadaf3a4369435a8772ec

SHA1
eb9302063ac2ab599ae93aaa1e45b88bbeacbca2

SHA256
f515564b67efd06fa42f57532feafc49d40b0fc36c5d4935300dd55416f0a386

SHA512
522fba06304950860fa9aa8933b12b9323dea47dbda363db3f57535396c156c4cf6934a9db38fff8c77503fcb889d030fadb639094a1f34bbad54c79c8734450

Download Submit
\Windows\SysWOW64\WINDOWS.exe

Filesize
337KB

MD5
00d9a5e024a10ea49259a0cc5524f12b

SHA1
fb4c2578b54dccdae91cb547835893f9fe028ce1

SHA256
7dbcc8ab214c297785e7fd297c88851d830630fdfb02bf437f29840231e3fa19

SHA512
1e54b692e092247b79e503b29e81fff35cf3d670a4606e977ab9a329e87233aa6652678b28e46f8bda2d0064621d46a0dbd9aff3b6e584801f2797ff4d7d2337

Download Submit
memory/1952-55-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/1952-60-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2020-10-0x0000000000270000-0x0000000000283000-memory.dmp

Filesize
76KB

Download
memory/2020-9-0x0000000000270000-0x0000000000283000-memory.dmp

Filesize
76KB

Download
memory/2020-43-0x0000000005550000-0x0000000005625000-memory.dmp

Filesize
852KB

Download
memory/2020-54-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2020-0-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2020-37-0x0000000005550000-0x0000000005625000-memory.dmp

Filesize
852KB

Download
memory/2020-12-0x0000000000270000-0x0000000000271000-memory.dmp

Filesize
4KB

Download
memory/2228-11-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2228-17-0x00000000001C0000-0x00000000001C2000-memory.dmp

Filesize
8KB

Download
memory/2228-13-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2228-18-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2460-1064-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2460-578-0x0000000001D00000-0x0000000001D13000-memory.dmp

Filesize
76KB

Download
memory/2460-581-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2460-582-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2460-583-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2460-1071-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2460-579-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2460-577-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2460-1070-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2460-1069-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2460-52-0x0000000001D00000-0x0000000001D13000-memory.dmp

Filesize
76KB

Download
memory/2460-580-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2460-1068-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2460-44-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2460-1067-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2460-576-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2460-1065-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2460-1066-0x0000000000400000-0x00000000004D5000-memory.dmp

Filesize
852KB

Download
memory/2848-100-0x00000000001A0000-0x00000000001A1000-memory.dmp

Filesize
4KB

Download
memory/2848-62-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2860-28-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2860-33-0x0000000000400000-0x0000000000413000-memory.dmp

Filesize
76KB

Download
memory/2860-31-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download