Malware Analysis Report

2024-08-06 17:07

Sample ID 240506-jbl5xadd5x
Target 1b6b13653278e38989a3ab4025a69a97_JaffaCakes118
SHA256 1b75e1edeb875c5218baebebc304a5acab2de18c8970506d4fb0dfcae2ef13c4
Tags
darkcomet guest16 evasion persistence rat trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

1b75e1edeb875c5218baebebc304a5acab2de18c8970506d4fb0dfcae2ef13c4

Threat Level: Known bad

The file 1b6b13653278e38989a3ab4025a69a97_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

darkcomet guest16 evasion persistence rat trojan upx

Modifies WinLogon for persistence

Darkcomet

Modifies firewall policy service

Sets file to hidden

Checks computer location settings

Executes dropped EXE

UPX packed file

Loads dropped DLL

Adds Run key to start application

Drops file in System32 directory

Unsigned PE

Enumerates physical storage devices

Views/modifies file attributes

Suspicious use of SetWindowsHookEx

Suspicious behavior: AddClipboardFormatListener

Suspicious use of SendNotifyMessage

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of FindShellTrayWindow

Modifies registry class

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Winlogon Helper DLL
T1547.004
Create or Modify System Process
T1543
Windows Service
T1543.003
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Winlogon Helper DLL
T1547.004
Create or Modify System Process
T1543
Windows Service
T1543.003
Defense Evasion
TA0005
Modify Registry
T1112
Hide Artifacts
T1564
Hidden Files and Directories
T1564.001
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-05-06 07:29

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-05-06 07:29

Reported

2024-05-06 07:32

Platform

win7-20240221-en

Max time kernel

143s

Max time network

127s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1b6b13653278e38989a3ab4025a69a97_JaffaCakes118.exe"

Signatures

Darkcomet

trojan rat darkcomet

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\zh-PH\\WWAHost.exe" C:\Users\Admin\AppData\Roaming\po.exe N/A

Modifies firewall policy service

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\zh-PH\WWAHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Windows\SysWOW64\zh-PH\WWAHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" C:\Windows\SysWOW64\zh-PH\WWAHost.exe N/A

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\11.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\po.exe N/A
N/A N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\cmd.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\11.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\11.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\11.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\11.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\11.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\po.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\po.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-330940541-141609230-1670313778-1000\Software\Microsoft\Windows\CurrentVersion\Run\WAHost = "C:\\Windows\\system32\\zh-PH\\WWAHost.exe" C:\Users\Admin\AppData\Roaming\po.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\zh-PH\WWAHost.exe C:\Users\Admin\AppData\Roaming\po.exe N/A
File opened for modification C:\Windows\SysWOW64\zh-PH\WWAHost.exe C:\Users\Admin\AppData\Roaming\po.exe N/A
File opened for modification C:\Windows\SysWOW64\zh-PH\ C:\Users\Admin\AppData\Roaming\po.exe N/A

Enumerates physical storage devices

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\po.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\po.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Roaming\po.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Roaming\po.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Roaming\po.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Roaming\po.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Roaming\po.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\po.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Roaming\po.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\po.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\po.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\po.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\po.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Roaming\po.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Roaming\po.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\po.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Roaming\po.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Roaming\po.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Roaming\po.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Roaming\po.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\po.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Roaming\po.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Roaming\po.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe N/A
Token: 33 N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\DllHost.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2020 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\1b6b13653278e38989a3ab4025a69a97_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\1b6b13653278e38989a3ab4025a69a97_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\1b6b13653278e38989a3ab4025a69a97_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2020 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\1b6b13653278e38989a3ab4025a69a97_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2592 wrote to memory of 2508 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\11.exe
PID 2592 wrote to memory of 2508 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\11.exe
PID 2592 wrote to memory of 2508 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\11.exe
PID 2592 wrote to memory of 2508 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\11.exe
PID 2508 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Roaming\11.exe C:\Users\Admin\AppData\Roaming\po.exe
PID 2508 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Roaming\11.exe C:\Users\Admin\AppData\Roaming\po.exe
PID 2508 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Roaming\11.exe C:\Users\Admin\AppData\Roaming\po.exe
PID 2508 wrote to memory of 2792 N/A C:\Users\Admin\AppData\Roaming\11.exe C:\Users\Admin\AppData\Roaming\po.exe
PID 2792 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Roaming\po.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Roaming\po.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Roaming\po.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 1912 N/A C:\Users\Admin\AppData\Roaming\po.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 484 N/A C:\Users\Admin\AppData\Roaming\po.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 484 N/A C:\Users\Admin\AppData\Roaming\po.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 484 N/A C:\Users\Admin\AppData\Roaming\po.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 484 N/A C:\Users\Admin\AppData\Roaming\po.exe C:\Windows\SysWOW64\cmd.exe
PID 2792 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Roaming\po.exe C:\Windows\SysWOW64\zh-PH\WWAHost.exe
PID 2792 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Roaming\po.exe C:\Windows\SysWOW64\zh-PH\WWAHost.exe
PID 2792 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Roaming\po.exe C:\Windows\SysWOW64\zh-PH\WWAHost.exe
PID 2792 wrote to memory of 1780 N/A C:\Users\Admin\AppData\Roaming\po.exe C:\Windows\SysWOW64\zh-PH\WWAHost.exe
PID 2508 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Roaming\11.exe C:\Program Files\VideoLAN\VLC\vlc.exe
PID 2508 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Roaming\11.exe C:\Program Files\VideoLAN\VLC\vlc.exe
PID 2508 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Roaming\11.exe C:\Program Files\VideoLAN\VLC\vlc.exe
PID 2508 wrote to memory of 1928 N/A C:\Users\Admin\AppData\Roaming\11.exe C:\Program Files\VideoLAN\VLC\vlc.exe
PID 484 wrote to memory of 1968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 484 wrote to memory of 1968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 484 wrote to memory of 1968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 484 wrote to memory of 1968 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1912 wrote to memory of 2000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1912 wrote to memory of 2000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1912 wrote to memory of 2000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1912 wrote to memory of 2000 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1780 wrote to memory of 620 N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe C:\Windows\SysWOW64\notepad.exe
PID 1780 wrote to memory of 620 N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe C:\Windows\SysWOW64\notepad.exe
PID 1780 wrote to memory of 620 N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe C:\Windows\SysWOW64\notepad.exe
PID 1780 wrote to memory of 620 N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe C:\Windows\SysWOW64\notepad.exe
PID 1780 wrote to memory of 620 N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe C:\Windows\SysWOW64\notepad.exe
PID 1780 wrote to memory of 620 N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe C:\Windows\SysWOW64\notepad.exe
PID 1780 wrote to memory of 620 N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe C:\Windows\SysWOW64\notepad.exe
PID 1780 wrote to memory of 620 N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe C:\Windows\SysWOW64\notepad.exe
PID 1780 wrote to memory of 620 N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe C:\Windows\SysWOW64\notepad.exe
PID 1780 wrote to memory of 620 N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe C:\Windows\SysWOW64\notepad.exe
PID 1780 wrote to memory of 620 N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe C:\Windows\SysWOW64\notepad.exe
PID 1780 wrote to memory of 620 N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe C:\Windows\SysWOW64\notepad.exe
PID 1780 wrote to memory of 620 N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe C:\Windows\SysWOW64\notepad.exe
PID 1780 wrote to memory of 620 N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe C:\Windows\SysWOW64\notepad.exe
PID 1780 wrote to memory of 620 N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe C:\Windows\SysWOW64\notepad.exe
PID 1780 wrote to memory of 620 N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe C:\Windows\SysWOW64\notepad.exe
PID 1780 wrote to memory of 620 N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe C:\Windows\SysWOW64\notepad.exe
PID 1780 wrote to memory of 620 N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe C:\Windows\SysWOW64\notepad.exe
PID 1780 wrote to memory of 620 N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe C:\Windows\SysWOW64\notepad.exe
PID 1780 wrote to memory of 620 N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe C:\Windows\SysWOW64\notepad.exe
PID 1780 wrote to memory of 620 N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe C:\Windows\SysWOW64\notepad.exe
PID 1780 wrote to memory of 620 N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe C:\Windows\SysWOW64\notepad.exe
PID 1780 wrote to memory of 620 N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe C:\Windows\SysWOW64\notepad.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1b6b13653278e38989a3ab4025a69a97_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1b6b13653278e38989a3ab4025a69a97_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Roaming\start.bat" "

C:\Users\Admin\AppData\Roaming\11.exe

11.exe -p03658512984 -dC:\Users\Admin\AppData\Roaming

C:\Users\Admin\AppData\Roaming\po.exe

"C:\Users\Admin\AppData\Roaming\po.exe"

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\po.exe" +s +h

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming" +s +h

C:\Windows\SysWOW64\zh-PH\WWAHost.exe

"C:\Windows\system32\zh-PH\WWAHost.exe"

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Roaming\12.mp3"

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Users\Admin\AppData\Roaming" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Users\Admin\AppData\Roaming\po.exe" +s +h

C:\Windows\SysWOW64\notepad.exe

notepad

Network

Country Destination Domain Proto
US 8.8.8.8:53 andreprivet.ddns.net udp

Files

C:\Users\Admin\AppData\Roaming\start.bat

MD5 d9b4214e353ba616f5edc2633ba76e36
SHA1 a69e0090704947fd72fbfab013699aa56896121b
SHA256 f027b25ce42d032279e22532ebae52023482a4fb278d4c3159ccab3102e0fc28
SHA512 9d89a0fa65de20b5a089e304939f0da1a34d5ee0509564c42de63e164a1216df31f5e0f0a208f2b9851c33902ef568853322f3df02a0415c78ed66be16b78121

\Users\Admin\AppData\Roaming\11.exe

MD5 eea149721c01291896b69895fd414964
SHA1 cd7f559e2847a6d26679472040ecc05ab8eef548
SHA256 5c4bf3713ff356a995d6fa59b7e68105ab4385cd22f6f519fbe3bdf993add823
SHA512 e01aec03356ac64b704d42bf764e89bb286a966f5c2da65201737a5af1accab04d5be8be5f07833a96b5525c9697334bcbddde2ad6f1e6932d7d526a352ea7a7

\Users\Admin\AppData\Roaming\po.exe

MD5 010b72d9045c7aede13473e1f4514ca9
SHA1 50cc0ba901b8bc1cfd34a277af34b7f666d1f693
SHA256 67bd0a65268d058dbf0ca7cd6a4b30060a4aa60bfd3d59c04768b1422d7f433a
SHA512 1c492a8927196c028c49931bbc99f6f1dd26f4d97eca35d576c953786d3101119910bb39d9a22b1a65289ad3d66c703bc69305ca616372f03443a17bfc0b3a65

memory/2508-45-0x00000000031E0000-0x0000000003297000-memory.dmp

memory/2792-46-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2508-43-0x00000000031E0000-0x0000000003297000-memory.dmp

memory/2508-35-0x00000000031E0000-0x0000000003297000-memory.dmp

memory/692-51-0x00000000001A0000-0x00000000001A2000-memory.dmp

memory/2508-50-0x0000000000C80000-0x0000000000C82000-memory.dmp

memory/1780-60-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/620-62-0x00000000000C0000-0x00000000000C1000-memory.dmp

memory/620-100-0x0000000000220000-0x0000000000221000-memory.dmp

C:\Users\Admin\AppData\Roaming\12.mp3

MD5 994ed675fa3c1ec9be2dc88f80a54d6c
SHA1 0be3478c5cbe848ea920d87c7853aec2c3d990fa
SHA256 95012f310436a52c4e083fabdf42db4c8d3242bc42689b63e8e613f73696d924
SHA512 38e04c70da86d6a1b473188789712236c09967139581da9578c23804d56f2866b3b1fb2cf115658624c0d6e044f00ba804b8c4efbbb77926b4affdc84af6f901

C:\Users\Admin\AppData\Roaming\em7zgKwn0yM.jpg

MD5 2341cf2283361b7a0f971f592bb88e0d
SHA1 4b9de14303a97a791449b8d972132ab4188f1e8a
SHA256 21ac2c0e131e17e2a4210a020ae7857ab3dd0968cd0696f65dbe6ffaa4ead26c
SHA512 2bbb780c096ebe683d5b0c1e2e14390536dfecf0643b41f4b7922b90a20d822b7846ebe7d6fc2f11deb79987a52a157c2867768a3d581b239d76c3894faebcfd

memory/2792-103-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/1780-109-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/1780-110-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/1928-111-0x000000013FFE0000-0x00000001400D8000-memory.dmp

memory/1928-112-0x000007FEFB350000-0x000007FEFB384000-memory.dmp

memory/1928-114-0x000007FEFB3A0000-0x000007FEFB3B8000-memory.dmp

memory/1928-116-0x000007FEFB0A0000-0x000007FEFB0B1000-memory.dmp

memory/1928-118-0x000007FEF7980000-0x000007FEF7991000-memory.dmp

memory/1928-120-0x000007FEF7940000-0x000007FEF7951000-memory.dmp

memory/1928-119-0x000007FEF7960000-0x000007FEF797D000-memory.dmp

memory/1928-117-0x000007FEF79A0000-0x000007FEF79B7000-memory.dmp

memory/1928-115-0x000007FEFB0C0000-0x000007FEFB0D7000-memory.dmp

memory/1928-113-0x000007FEF6230000-0x000007FEF64E4000-memory.dmp

memory/1928-121-0x000007FEF6030000-0x000007FEF6230000-memory.dmp

memory/1928-123-0x000007FEF77D0000-0x000007FEF780F000-memory.dmp

memory/1928-125-0x000007FEF7780000-0x000007FEF7798000-memory.dmp

memory/1928-131-0x000007FEF6B50000-0x000007FEF6B68000-memory.dmp

memory/1928-130-0x000007FEF6BD0000-0x000007FEF6BE1000-memory.dmp

memory/1928-132-0x000007FEF4F50000-0x000007FEF4F80000-memory.dmp

memory/1928-129-0x000007FEF6BF0000-0x000007FEF6C0B000-memory.dmp

memory/1928-128-0x000007FEF6C10000-0x000007FEF6C21000-memory.dmp

memory/1928-127-0x000007FEF6C30000-0x000007FEF6C41000-memory.dmp

memory/1928-126-0x000007FEF7760000-0x000007FEF7771000-memory.dmp

memory/1928-124-0x000007FEF77A0000-0x000007FEF77C1000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-05-06 07:29

Reported

2024-05-06 07:32

Platform

win10v2004-20240419-en

Max time kernel

150s

Max time network

148s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1b6b13653278e38989a3ab4025a69a97_JaffaCakes118.exe"

Signatures

Darkcomet

trojan rat darkcomet

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\zh-PH\\WWAHost.exe" C:\Users\Admin\AppData\Roaming\po.exe N/A

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" C:\Windows\SysWOW64\zh-PH\WWAHost.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\Windows\SysWOW64\zh-PH\WWAHost.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\Windows\SysWOW64\zh-PH\WWAHost.exe N/A

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1b6b13653278e38989a3ab4025a69a97_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\11.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Roaming\po.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\11.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\po.exe N/A
N/A N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WAHost = "C:\\Windows\\system32\\zh-PH\\WWAHost.exe" C:\Users\Admin\AppData\Roaming\po.exe N/A

Drops file in System32 directory

Description Indicator Process Target
File created C:\Windows\SysWOW64\zh-PH\WWAHost.exe C:\Users\Admin\AppData\Roaming\po.exe N/A
File opened for modification C:\Windows\SysWOW64\zh-PH\WWAHost.exe C:\Users\Admin\AppData\Roaming\po.exe N/A
File opened for modification C:\Windows\SysWOW64\zh-PH\ C:\Users\Admin\AppData\Roaming\po.exe N/A

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-17203666-93769886-2545153620-1000_Classes\Local Settings C:\Users\Admin\AppData\Roaming\11.exe N/A

Suspicious behavior: AddClipboardFormatListener

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\po.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\po.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Roaming\po.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Roaming\po.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Roaming\po.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Roaming\po.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Roaming\po.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\po.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Roaming\po.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\po.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\po.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\po.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\po.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Roaming\po.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Roaming\po.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\po.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Roaming\po.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Roaming\po.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Roaming\po.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Roaming\po.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\po.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Roaming\po.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Roaming\po.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Roaming\po.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe N/A
Token: 33 N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe N/A
Token: 34 N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe N/A
Token: 35 N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe N/A
Token: 36 N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe N/A
Token: 33 N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\system32\AUDIODG.EXE N/A
Token: 33 N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe N/A
N/A N/A C:\Program Files\VideoLAN\VLC\vlc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 4904 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\1b6b13653278e38989a3ab4025a69a97_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4904 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\1b6b13653278e38989a3ab4025a69a97_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4904 wrote to memory of 4856 N/A C:\Users\Admin\AppData\Local\Temp\1b6b13653278e38989a3ab4025a69a97_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 4856 wrote to memory of 1916 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\11.exe
PID 4856 wrote to memory of 1916 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\11.exe
PID 4856 wrote to memory of 1916 N/A C:\Windows\SysWOW64\cmd.exe C:\Users\Admin\AppData\Roaming\11.exe
PID 1916 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Roaming\11.exe C:\Users\Admin\AppData\Roaming\po.exe
PID 1916 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Roaming\11.exe C:\Users\Admin\AppData\Roaming\po.exe
PID 1916 wrote to memory of 2652 N/A C:\Users\Admin\AppData\Roaming\11.exe C:\Users\Admin\AppData\Roaming\po.exe
PID 2652 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Roaming\po.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Roaming\po.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 4168 N/A C:\Users\Admin\AppData\Roaming\po.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\po.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\po.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 2484 N/A C:\Users\Admin\AppData\Roaming\po.exe C:\Windows\SysWOW64\cmd.exe
PID 2652 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Roaming\po.exe C:\Windows\SysWOW64\zh-PH\WWAHost.exe
PID 2652 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Roaming\po.exe C:\Windows\SysWOW64\zh-PH\WWAHost.exe
PID 2652 wrote to memory of 2132 N/A C:\Users\Admin\AppData\Roaming\po.exe C:\Windows\SysWOW64\zh-PH\WWAHost.exe
PID 4168 wrote to memory of 2812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4168 wrote to memory of 2812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4168 wrote to memory of 2812 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2484 wrote to memory of 1312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2484 wrote to memory of 1312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2484 wrote to memory of 1312 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2132 wrote to memory of 4920 N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe C:\Windows\SysWOW64\notepad.exe
PID 2132 wrote to memory of 4920 N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe C:\Windows\SysWOW64\notepad.exe
PID 2132 wrote to memory of 4920 N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe C:\Windows\SysWOW64\notepad.exe
PID 2132 wrote to memory of 4920 N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe C:\Windows\SysWOW64\notepad.exe
PID 2132 wrote to memory of 4920 N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe C:\Windows\SysWOW64\notepad.exe
PID 2132 wrote to memory of 4920 N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe C:\Windows\SysWOW64\notepad.exe
PID 2132 wrote to memory of 4920 N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe C:\Windows\SysWOW64\notepad.exe
PID 2132 wrote to memory of 4920 N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe C:\Windows\SysWOW64\notepad.exe
PID 2132 wrote to memory of 4920 N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe C:\Windows\SysWOW64\notepad.exe
PID 2132 wrote to memory of 4920 N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe C:\Windows\SysWOW64\notepad.exe
PID 2132 wrote to memory of 4920 N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe C:\Windows\SysWOW64\notepad.exe
PID 2132 wrote to memory of 4920 N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe C:\Windows\SysWOW64\notepad.exe
PID 2132 wrote to memory of 4920 N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe C:\Windows\SysWOW64\notepad.exe
PID 2132 wrote to memory of 4920 N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe C:\Windows\SysWOW64\notepad.exe
PID 2132 wrote to memory of 4920 N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe C:\Windows\SysWOW64\notepad.exe
PID 2132 wrote to memory of 4920 N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe C:\Windows\SysWOW64\notepad.exe
PID 2132 wrote to memory of 4920 N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe C:\Windows\SysWOW64\notepad.exe
PID 2132 wrote to memory of 4920 N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe C:\Windows\SysWOW64\notepad.exe
PID 2132 wrote to memory of 4920 N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe C:\Windows\SysWOW64\notepad.exe
PID 2132 wrote to memory of 4920 N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe C:\Windows\SysWOW64\notepad.exe
PID 2132 wrote to memory of 4920 N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe C:\Windows\SysWOW64\notepad.exe
PID 2132 wrote to memory of 4920 N/A C:\Windows\SysWOW64\zh-PH\WWAHost.exe C:\Windows\SysWOW64\notepad.exe
PID 1916 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Roaming\11.exe C:\Program Files\VideoLAN\VLC\vlc.exe
PID 1916 wrote to memory of 5104 N/A C:\Users\Admin\AppData\Roaming\11.exe C:\Program Files\VideoLAN\VLC\vlc.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\1b6b13653278e38989a3ab4025a69a97_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1b6b13653278e38989a3ab4025a69a97_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Roaming\start.bat" "

C:\Users\Admin\AppData\Roaming\11.exe

11.exe -p03658512984 -dC:\Users\Admin\AppData\Roaming

C:\Users\Admin\AppData\Roaming\po.exe

"C:\Users\Admin\AppData\Roaming\po.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\po.exe" +s +h

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming" +s +h

C:\Windows\SysWOW64\zh-PH\WWAHost.exe

"C:\Windows\system32\zh-PH\WWAHost.exe"

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Users\Admin\AppData\Roaming\po.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Users\Admin\AppData\Roaming" +s +h

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Program Files\VideoLAN\VLC\vlc.exe

"C:\Program Files\VideoLAN\VLC\vlc.exe" --started-from-file "C:\Users\Admin\AppData\Roaming\12.mp3"

C:\Windows\system32\AUDIODG.EXE

C:\Windows\system32\AUDIODG.EXE 0x3d0 0x464

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 0.204.248.87.in-addr.arpa udp
US 8.8.8.8:53 andreprivet.ddns.net udp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 andreprivet.ddns.net udp
US 8.8.8.8:53 andreprivet.ddns.net udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 andreprivet.ddns.net udp
US 8.8.8.8:53 andreprivet.ddns.net udp
US 8.8.8.8:53 andreprivet.ddns.net udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 andreprivet.ddns.net udp
US 8.8.8.8:53 139.53.16.96.in-addr.arpa udp
US 8.8.8.8:53 andreprivet.ddns.net udp
US 8.8.8.8:53 andreprivet.ddns.net udp
US 8.8.8.8:53 andreprivet.ddns.net udp
US 8.8.8.8:53 andreprivet.ddns.net udp
US 8.8.8.8:53 andreprivet.ddns.net udp
US 8.8.8.8:53 andreprivet.ddns.net udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 14.251.17.2.in-addr.arpa udp
US 8.8.8.8:53 andreprivet.ddns.net udp
US 8.8.8.8:53 andreprivet.ddns.net udp
US 8.8.8.8:53 andreprivet.ddns.net udp
US 8.8.8.8:53 andreprivet.ddns.net udp
US 8.8.8.8:53 andreprivet.ddns.net udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 andreprivet.ddns.net udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 204.79.197.200:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 andreprivet.ddns.net udp
US 8.8.8.8:53 andreprivet.ddns.net udp
US 8.8.8.8:53 andreprivet.ddns.net udp
US 8.8.8.8:53 andreprivet.ddns.net udp
US 8.8.8.8:53 andreprivet.ddns.net udp
US 8.8.8.8:53 andreprivet.ddns.net udp
US 8.8.8.8:53 andreprivet.ddns.net udp
US 8.8.8.8:53 andreprivet.ddns.net udp
US 8.8.8.8:53 andreprivet.ddns.net udp
US 8.8.8.8:53 andreprivet.ddns.net udp
US 8.8.8.8:53 andreprivet.ddns.net udp

Files

C:\Users\Admin\AppData\Roaming\start.bat

MD5 d9b4214e353ba616f5edc2633ba76e36
SHA1 a69e0090704947fd72fbfab013699aa56896121b
SHA256 f027b25ce42d032279e22532ebae52023482a4fb278d4c3159ccab3102e0fc28
SHA512 9d89a0fa65de20b5a089e304939f0da1a34d5ee0509564c42de63e164a1216df31f5e0f0a208f2b9851c33902ef568853322f3df02a0415c78ed66be16b78121

C:\Users\Admin\AppData\Roaming\11.exe

MD5 eea149721c01291896b69895fd414964
SHA1 cd7f559e2847a6d26679472040ecc05ab8eef548
SHA256 5c4bf3713ff356a995d6fa59b7e68105ab4385cd22f6f519fbe3bdf993add823
SHA512 e01aec03356ac64b704d42bf764e89bb286a966f5c2da65201737a5af1accab04d5be8be5f07833a96b5525c9697334bcbddde2ad6f1e6932d7d526a352ea7a7

C:\Users\Admin\AppData\Roaming\po.exe

MD5 010b72d9045c7aede13473e1f4514ca9
SHA1 50cc0ba901b8bc1cfd34a277af34b7f666d1f693
SHA256 67bd0a65268d058dbf0ca7cd6a4b30060a4aa60bfd3d59c04768b1422d7f433a
SHA512 1c492a8927196c028c49931bbc99f6f1dd26f4d97eca35d576c953786d3101119910bb39d9a22b1a65289ad3d66c703bc69305ca616372f03443a17bfc0b3a65

memory/2652-25-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2132-39-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/4920-40-0x0000000001180000-0x0000000001181000-memory.dmp

memory/2652-42-0x0000000000400000-0x00000000004B7000-memory.dmp

C:\Users\Admin\AppData\Roaming\12.mp3

MD5 994ed675fa3c1ec9be2dc88f80a54d6c
SHA1 0be3478c5cbe848ea920d87c7853aec2c3d990fa
SHA256 95012f310436a52c4e083fabdf42db4c8d3242bc42689b63e8e613f73696d924
SHA512 38e04c70da86d6a1b473188789712236c09967139581da9578c23804d56f2866b3b1fb2cf115658624c0d6e044f00ba804b8c4efbbb77926b4affdc84af6f901

memory/2132-53-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/5104-54-0x00007FF747D90000-0x00007FF747E88000-memory.dmp

memory/5104-55-0x00007FF829790000-0x00007FF8297C4000-memory.dmp

memory/5104-63-0x00007FF81AAA0000-0x00007FF81AAB1000-memory.dmp

memory/5104-62-0x00007FF81AAC0000-0x00007FF81AADD000-memory.dmp

memory/5104-61-0x00007FF81AAE0000-0x00007FF81AAF1000-memory.dmp

memory/5104-71-0x00007FF81A4E0000-0x00007FF81A4FB000-memory.dmp

memory/5104-70-0x00007FF81A500000-0x00007FF81A511000-memory.dmp

memory/5104-69-0x00007FF81A520000-0x00007FF81A531000-memory.dmp

memory/5104-68-0x00007FF81A540000-0x00007FF81A551000-memory.dmp

memory/5104-67-0x00007FF81AA30000-0x00007FF81AA48000-memory.dmp

memory/5104-66-0x00007FF81A560000-0x00007FF81A581000-memory.dmp

memory/5104-65-0x00007FF81AA50000-0x00007FF81AA91000-memory.dmp

memory/5104-64-0x00007FF819620000-0x00007FF81982B000-memory.dmp

memory/5104-56-0x00007FF81AD40000-0x00007FF81AFF6000-memory.dmp

memory/5104-60-0x00007FF81AB00000-0x00007FF81AB17000-memory.dmp

memory/5104-59-0x00007FF828A60000-0x00007FF828A71000-memory.dmp

memory/5104-58-0x00007FF829520000-0x00007FF829537000-memory.dmp

memory/5104-57-0x00007FF829860000-0x00007FF829878000-memory.dmp

memory/2132-72-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2132-91-0x0000000000400000-0x00000000004B7000-memory.dmp

memory/2132-110-0x0000000000400000-0x00000000004B7000-memory.dmp