Malware Analysis Report

2024-07-28 12:16

Sample ID 240614-amqg2axdjg
Target a7495ebd5b117c20f373a1769534470a_JaffaCakes118
SHA256 46b620f55c618725f4bbf2889e0427d819804ec89263efb836e800118160d940
Tags
upx darkcomet ramnit guest16 banker evasion persistence rat spyware stealer trojan worm
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

46b620f55c618725f4bbf2889e0427d819804ec89263efb836e800118160d940

Threat Level: Known bad

The file a7495ebd5b117c20f373a1769534470a_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

upx darkcomet ramnit guest16 banker evasion persistence rat spyware stealer trojan worm

Modifies security service

Windows security bypass

Ramnit

Darkcomet

Modifies WinLogon for persistence

Modifies firewall policy service

Disables RegEdit via registry modification

Sets file to hidden

Disables Task Manager via registry modification

Executes dropped EXE

UPX packed file

Deletes itself

Loads dropped DLL

Checks computer location settings

Windows security modification

Adds Run key to start application

Drops file in Program Files directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

System policy modification

Suspicious use of FindShellTrayWindow

Suspicious use of WriteProcessMemory

Views/modifies file attributes

Modifies registry class

Modifies Internet Explorer settings

Suspicious behavior: EnumeratesProcesses

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of SetWindowsHookEx

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Winlogon Helper DLL
T1547.004
Create or Modify System Process
T1543
Windows Service
T1543.003
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Winlogon Helper DLL
T1547.004
Create or Modify System Process
T1543
Windows Service
T1543.003
Defense Evasion
TA0005
Modify Registry
T1112
Impair Defenses
T1562
Disable or Modify Tools
T1562.001
Hide Artifacts
T1564
Hidden Files and Directories
T1564.001
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-14 00:20

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 00:20

Reported

2024-06-14 00:22

Platform

win7-20231129-en

Max time kernel

150s

Max time network

134s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe"

Signatures

Darkcomet

trojan rat darkcomet

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\MSDCSC\\msdcsc.exe" C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe N/A

Modifies firewall policy service

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe N/A

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe N/A

Ramnit

trojan spyware stealer worm banker ramnit

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe N/A

Disables Task Manager via registry modification

evasion

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\notepad.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118Srv.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcscSrv.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118Srv.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\MSDCSC\\msdcsc.exe" C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\MSDCSC\\msdcsc.exe" C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\pxABA.tmp C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118Srv.exe N/A
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118Srv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118Srv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\pxC50.tmp C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcscSrv.exe N/A
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcscSrv.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A}\FaviconPath = "C:\\Users\\Admin\\AppData\\LocalLow\\Microsoft\\Internet Explorer\\Services\\search_{0633EE93-D776-472f-A0FF-E1416B8B2E3A}.ico" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\PageSetup C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D718EA41-29E3-11EF-8857-46361BFF2467} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Zoom C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3d0000003d000000c3040000a2020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\InternetRegistry C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IETld\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "424486270" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\IntelliForms C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\SearchScopes\{0633EE93-D776-472f-A0FF-E1416B8B2E3A} C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcscSrv.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcscSrv.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcscSrv.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcscSrv.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe N/A
Token: SeSecurityPrivilege N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe N/A
Token: SeLoadDriverPrivilege N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe N/A
Token: SeSystemProfilePrivilege N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe N/A
Token: SeSystemtimePrivilege N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe N/A
Token: SeBackupPrivilege N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe N/A
Token: SeRestorePrivilege N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe N/A
Token: SeShutdownPrivilege N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe N/A
Token: SeUndockPrivilege N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe N/A
Token: SeManageVolumePrivilege N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe N/A
Token: SeImpersonatePrivilege N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe N/A
Token: 33 N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe N/A
Token: 34 N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe N/A
Token: 35 N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2896 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118Srv.exe
PID 2896 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118Srv.exe
PID 2896 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118Srv.exe
PID 2896 wrote to memory of 2380 N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118Srv.exe
PID 2380 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2380 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2380 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 2380 wrote to memory of 3016 N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 3016 wrote to memory of 2996 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3016 wrote to memory of 2996 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3016 wrote to memory of 2996 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3016 wrote to memory of 2996 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2996 wrote to memory of 2844 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2996 wrote to memory of 2844 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2996 wrote to memory of 2844 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2996 wrote to memory of 2844 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 2896 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 2744 N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 2628 N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2896 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe C:\Windows\SysWOW64\notepad.exe
PID 2896 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe C:\Windows\SysWOW64\notepad.exe
PID 2896 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe C:\Windows\SysWOW64\notepad.exe
PID 2896 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe C:\Windows\SysWOW64\notepad.exe
PID 2896 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe C:\Windows\SysWOW64\notepad.exe
PID 2896 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe C:\Windows\SysWOW64\notepad.exe
PID 2896 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe C:\Windows\SysWOW64\notepad.exe
PID 2896 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe C:\Windows\SysWOW64\notepad.exe
PID 2896 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe C:\Windows\SysWOW64\notepad.exe
PID 2896 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe C:\Windows\SysWOW64\notepad.exe
PID 2896 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe C:\Windows\SysWOW64\notepad.exe
PID 2896 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe C:\Windows\SysWOW64\notepad.exe
PID 2896 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe C:\Windows\SysWOW64\notepad.exe
PID 2896 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe C:\Windows\SysWOW64\notepad.exe
PID 2896 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe C:\Windows\SysWOW64\notepad.exe
PID 2896 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe C:\Windows\SysWOW64\notepad.exe
PID 2896 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe C:\Windows\SysWOW64\notepad.exe
PID 2896 wrote to memory of 2620 N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe C:\Windows\SysWOW64\notepad.exe
PID 2628 wrote to memory of 2920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2628 wrote to memory of 2920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2628 wrote to memory of 2920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2628 wrote to memory of 2920 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2744 wrote to memory of 2992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2744 wrote to memory of 2992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2744 wrote to memory of 2992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2744 wrote to memory of 2992 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2896 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe
PID 2896 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe
PID 2896 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe
PID 2896 wrote to memory of 2460 N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe
PID 2460 wrote to memory of 1480 N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcscSrv.exe
PID 2460 wrote to memory of 1480 N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcscSrv.exe
PID 2460 wrote to memory of 1480 N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcscSrv.exe
PID 2460 wrote to memory of 1480 N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcscSrv.exe
PID 1480 wrote to memory of 2420 N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcscSrv.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1480 wrote to memory of 2420 N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcscSrv.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1480 wrote to memory of 2420 N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcscSrv.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1480 wrote to memory of 2420 N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcscSrv.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 2460 wrote to memory of 1736 N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe C:\Windows\SysWOW64\notepad.exe
PID 2460 wrote to memory of 1736 N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe C:\Windows\SysWOW64\notepad.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe N/A

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118Srv.exe

C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118Srv.exe

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe" +s +h

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2996 CREDAT:275457 /prefetch:2

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Users\Admin\AppData\Local\Temp" +s +h

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe

"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe"

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcscSrv.exe

"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcscSrv.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2996 CREDAT:406533 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.bing.com udp
US 8.8.8.8:53 bibl12345.ddns.net udp
US 8.8.8.8:53 www.microsoft.com udp
US 8.8.8.8:53 www.microsoft.com udp
NL 23.62.61.97:80 www.bing.com tcp
NL 23.62.61.97:80 www.bing.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 204.79.197.200:443 ieonline.microsoft.com tcp

Files

memory/2896-0-0x0000000000400000-0x00000000004C6000-memory.dmp

\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118Srv.exe

MD5 ff5e1f27193ce51eec318714ef038bef
SHA1 b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256 fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512 c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

memory/2896-8-0x0000000000310000-0x000000000033E000-memory.dmp

memory/2896-10-0x00000000002E0000-0x00000000002E1000-memory.dmp

memory/3016-19-0x0000000000400000-0x000000000042E000-memory.dmp

memory/3016-16-0x0000000000400000-0x000000000042E000-memory.dmp

memory/3016-18-0x0000000000240000-0x0000000000241000-memory.dmp

memory/2380-9-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2620-22-0x0000000000080000-0x0000000000081000-memory.dmp

memory/2620-50-0x0000000000150000-0x0000000000151000-memory.dmp

\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe

MD5 a7495ebd5b117c20f373a1769534470a
SHA1 2fa33f0113d280d0aaa73e94e79a4c02fa78e788
SHA256 46b620f55c618725f4bbf2889e0427d819804ec89263efb836e800118160d940
SHA512 363385c5726ad38918e5769c668feb4cf4e42f8a6dab847f25d452c56d92d1934f2573b3a1026098fd0c67c995be6967ef3e73ce2639ded00636e30ed1d546d9

memory/1480-69-0x00000000002C0000-0x00000000002C1000-memory.dmp

memory/1480-71-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2460-72-0x0000000000260000-0x000000000028E000-memory.dmp

memory/2896-61-0x00000000045A0000-0x0000000004666000-memory.dmp

memory/2896-59-0x00000000045A0000-0x0000000004666000-memory.dmp

memory/1480-68-0x0000000000400000-0x000000000042E000-memory.dmp

memory/2460-67-0x0000000000400000-0x00000000004C6000-memory.dmp

memory/2896-114-0x0000000000400000-0x00000000004C6000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\94308059B57B3142E455B38A6EB92015

MD5 49aebf8cbd62d92ac215b2923fb1b9f5
SHA1 1723be06719828dda65ad804298d0431f6aff976
SHA256 b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f
SHA512 bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

C:\Users\Admin\AppData\Local\Temp\Tar23FB.tmp

MD5 4ea6026cf93ec6338144661bf1202cd1
SHA1 a1dec9044f750ad887935a01430bf49322fbdcb7
SHA256 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8
SHA512 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 c2676db663e7c0b9344e2a235ee5aaff
SHA1 92abb83e0939886467be6031d81d622425a36256
SHA256 4479d41899740fdbfae6ee9a01456a5c2221f792371d6374c35a92cfe522dfbd
SHA512 82db6f6b9de6bdbda36cb9533c9c946243eedcb851578e67bd2a818c097e494700d69fc3a0dd44d8f06a8a72d8a168140b8c1ff72c3eb6ecf13ec79113e0787e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 a266bb7dcc38a562631361bbf61dd11b
SHA1 3b1efd3a66ea28b16697394703a72ca340a05bd5
SHA256 df545bf919a2439c36983b54cdfc903dfa4f37d3996d8d84b4c31eec6f3c163e
SHA512 0da8ef4f8f6ed3d16d2bc8eb816b9e6e1345dfe2d91160196c47e6149a1d6aedaafadcefd66acdea7f72dcf0832770192ceac15b0c559c4ccc2c0e5581d5aefc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bfab4485f213eef1ee0e50799b52c7ee
SHA1 68afe8ef7cb6cddc39c3926ea8ed3b7d122b0868
SHA256 c72ce4c997ef8e7553cf9430de1a9dedd00277c77443bace89bdbfe641df1b03
SHA512 f5522fb7e0aa4b5cb3013c4ed002b9cc7bf911cbacf89f6fc1a6e8f26bd15ea9ed743f531c223fd5eba733f0889821153d67160956b8fa5abc7d992917c9ce0e

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\F0ACCF77CDCBFF39F6191887F6D2D357

MD5 8bacec176e47bf2e19c6493267e29950
SHA1 f70be9f53b72aad4330f074fdd0093e7f9226e46
SHA256 0e2fb9bb45e55022e6d8824f261f0c7a2ed8423fcdb91d2eaba1d5cf6fdb67e3
SHA512 b5d0d4630e5b9f337927f9f07d63063b95fd27e32ba79b149e313b1da3e8df349215190af79d8fcfdf88831689c2850e0c847cd296d741c6d19c77f7dcdd0dbc

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 82d41319be566c559f6f5af5dced88f1
SHA1 14bc89c66bb6328e7a3249c8bea34792931e7b40
SHA256 ca658c98a1bd386628616b67eae2bc9687053ce0c17c9c43aabd74ff034b605c
SHA512 4f80f27d10349de2e0563af1c1478a4e257a81c312d835e2402cf1b06d6f9161a7ded8a37ae6db068073d494ca460a979478bea05a6e02f0531ca9c514083726

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 032fb6809a37832ee5213829e2513e24
SHA1 2a855692d9888bd259743751483faa1ef659b186
SHA256 b5b2b85d27b4b921171d784143ea0cf8cb89767dae87e4a4c364287bd52f419d
SHA512 b8d098c4dfe80bb32d0fca38985d004e28e3cbe29842ed23e35ba1adbb6682b8a2da6c73593d01665b03e1eba7d30064742d4ae8986f73d2c2a3de043f82be09

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 bd9899bc164abf52e2f7b75a0f589f56
SHA1 9fb297c37f40fc49fa52677d1804ca391f02decf
SHA256 7688b810ea0cfcd456f8f185e6d769edd76067e5642cf7aac4427f08e2c5baa8
SHA512 1ce81d9506f62ba9d47e7592baa86204b8eac3bbbd0e0bd3f34668d5e06523289e005e6a270cf1d964f64db423482df83b9b1fa9ca16c191010e0957834c4e18

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 a10896ba921dd47d5ab02f72c47e755a
SHA1 f54ceef737e260065839c519605368c8bd83b2ec
SHA256 8ad5cfe8324f5a1b114ec4ab608d18b121335ed4edc9462a483efac63cbe0080
SHA512 4122a1af93545bab9a70cc9d7340a77de0a758154b93c39385aed5eed64175431cfcaa53ee0386d4cd61e37ca481c576b7272f9ec0b122ddc71bf01b7d3ec0c8

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 1febc47df15a8c5c49aed0f33a9a8ccb
SHA1 ac3f77001b63b25e83d1a97ae966178fb751048d
SHA256 b5721be2a4889a678772a6dec20c9cbd9dcb68931c9a5eebb5ac6736c23c8471
SHA512 88e73e783df461197d50457890bb617582665ea4ad7c080f77d159ba9eafe7a76b882403affc3d30706451283b72b62f6f1bced3344d504678c8fe7d25feff0b

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\3C428B1A3E5F57D887EC4B864FAC5DCC

MD5 e4a68ac854ac5242460afd72481b2a44
SHA1 df3c24f9bfd666761b268073fe06d1cc8d4f82a4
SHA256 cb3ccbb76031e5e0138f8dd39a23f9de47ffc35e43c1144cea27d46a5ab1cb5f
SHA512 5622207e1ba285f172756f6019af92ac808ed63286e24dfecc1e79873fb5d140f1ceb7133f2476e89a5f75f711f9813a9fbb8fd5287f64adfdcc53b864f9bdc5

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 9bf6202d4d15cf9c48ff3b67944b415e
SHA1 7f215770995cb0a0f6db8ffe795d6e1988805b3b
SHA256 876e5c2c384c206925e07d221d1fdfb4b5cf66e0259c2d8d1e8312d7b12d26bc
SHA512 b77222d9b5f88c785811441a4326b7634d4462929e898baf13fb8b8595b6668d2e4d6bec03a00d4cba1454bd9742fea738b9376f02fff35ac9ef54d205bb0404

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 2b77ba61fabaa472ff1e7bd5a71fb79a
SHA1 22257200cc8c45b803bd7d0a73f639fd8bf1fb27
SHA256 3828cf5f8fc3d086c57445cad1ff6a72f57cfea74acd52bd3cdfb8a74d1ac27d
SHA512 575290826c58503d6180d25fdd7944bb6075f41aa75455b7f87a469660a25564750ff2ffa485bde620f727ac5286faccd19d33d94408254e7e6ae797d1db4f8c

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 48fa52555806ec3e07d2b5f09872b26a
SHA1 5e7ae8cb850186076a71391eaf97b1a82b48e7a6
SHA256 9ea3cc0dc6ff368d040898ad43a1367b5c35bb173e28a86287ac9d7b8adc75ed
SHA512 66f87f2afaddaa60789d6c44ae7f66025db366b57db671230dd27f3943ab52e8f4ee5ae5c3aec651de9b021f734305f525a6fcdc34d9fa50bdf1a3763a4cdbe9

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 89bd8f0a8dab4ecaa4ebd004b6a3cb12
SHA1 8dd990e7efd582782672ac0b228557a7ab5dc0d5
SHA256 324c49dd309ca415c1381a65798e7ed8cfcee20562779ca632619e184a0bc4d4
SHA512 82c59e11509621eae6c05e1dece002b0f283a55799f905e2df6d0548de2981539d5701900ee9e15b0b7749cf86b1a6e9d1c7dbf67f6a07ac986cb01062e7648f

C:\Users\Admin\AppData\Local\Microsoft\Windows\Temporary Internet Files\Content.IE5\2OY1L4FY\favicon[2].ico

MD5 da597791be3b6e732f0bc8b20e38ee62
SHA1 1125c45d285c360542027d7554a5c442288974de
SHA256 5b2c34b3c4e8dd898b664dba6c3786e2ff9869eff55d673aa48361f11325ed07
SHA512 d8dc8358727590a1ed74dc70356aedc0499552c2dc0cd4f7a01853dd85ceb3aead5fbdc7c75d7da36db6af2448ce5abdff64cebdca3533ecad953c061a9b338e

memory/2460-701-0x0000000000400000-0x00000000004C6000-memory.dmp

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 7cb822d7928f88bae7f16910512924b9
SHA1 ec8a19d7e6834aecb06a06fdb15910da2a91925d
SHA256 1dc01a6840bdcaad094766ca8b19e8c5a1068a1402ad4094211504b5107725ba
SHA512 02e6ce10b608c074cbd73ac1ba5666eb6b8d32c271b6fb084e8b979cd331cb8eab744f9080f14ebab0572c5beed78b6abd30bb6a51ec7e044a7bc1c9bd4cf712

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 13fbd4592c720039182faa646d54f5c5
SHA1 ed69f0df84c37f9e099e933b7bc30e869cca3611
SHA256 43bd77492be63fd188c8fcb3d1cc1cf0c8762d851a7415edc8263dd67d0b736c
SHA512 eaa85d58ca3562447a9dde3f30d56b64ed97e8e12b57f3d63a796d5e4dcd451930cce5346afc96f35822aa633485c7c0a8c841fc9495f42cc70e630f24267565

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 ac7139780cf59a2e5aa8cfb64a0cdb63
SHA1 fa0bc02f40803524e5e1022fff65fc4544aeb00a
SHA256 6390b6641b2ed442afcbbe6c2c75d0ec773bba5f5d1ea5694723adbb4ab7d4bc
SHA512 de87ade15e8111df3983737dee33eb0a0a180dbfe1fa5f5e8791fefd4fef8815d83109f1ed7aa95610b75e786109eab66b584f3be25a2b8660c8655ca3ad5c38

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

MD5 984a2bef580656d7760868d49d71005f
SHA1 7d07bd239590e5a8ba273b4e79457607f7a45ebf
SHA256 947084e56fb4aa127d07266d1a484caf3ddc63c17cb0bcf4e9c96fdfd48d4849
SHA512 63f593e3cbc981d169ef1e6549a2a124123ad079e22a2db7e2ee7b32a2768cb269f6aad3b739c6984143cda1a7fd9d6095283ab22d4966d8bb2f04ac70c6dba4

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 00:20

Reported

2024-06-14 00:22

Platform

win10v2004-20240611-en

Max time kernel

150s

Max time network

149s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe"

Signatures

Darkcomet

trojan rat darkcomet

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\MSDCSC\\msdcsc.exe" C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe N/A

Modifies firewall policy service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe N/A
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe N/A
Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe N/A

Modifies security service

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe N/A

Ramnit

trojan spyware stealer worm banker ramnit

Windows security bypass

evasion trojan
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe N/A

Disables RegEdit via registry modification

evasion
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe N/A

Disables Task Manager via registry modification

evasion

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe N/A

Deletes itself

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\notepad.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118Srv.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcscSrv.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Windows security modification

evasion trojan
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\MSDCSC\\msdcsc.exe" C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\Programs\\MSDCSC\\msdcsc.exe" C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe N/A

Drops file in Program Files directory

Description Indicator Process Target
File opened for modification C:\Program Files (x86)\Microsoft\px35F4.tmp C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118Srv.exe N/A
File created C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118Srv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118Srv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\px396F.tmp C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcscSrv.exe N/A
File opened for modification C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcscSrv.exe N/A

Enumerates physical storage devices

Modifies Internet Explorer settings

adware spyware
Description Indicator Process Target
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31112688" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2885917629" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31112688" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{D79ED43B-29E3-11EF-B1BC-525B2696ACE5} = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "2885917629" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "425089382" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2896230447" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "2889824028" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31112688" C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Set value (data) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\Main C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\GPU C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\DomainSuggestion C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" C:\Program Files\Internet Explorer\iexplore.exe N/A
Set value (int) \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31112688" C:\Program Files\Internet Explorer\iexplore.exe N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\VersionManager C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
Key created \REGISTRY\USER\S-1-5-21-4204450073-1267028356-951339405-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ C:\Program Files\Internet Explorer\iexplore.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A
N/A N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe N/A
Token: SeSecurityPrivilege N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe N/A
Token: SeLoadDriverPrivilege N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe N/A
Token: SeSystemProfilePrivilege N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe N/A
Token: SeSystemtimePrivilege N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe N/A
Token: SeBackupPrivilege N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe N/A
Token: SeRestorePrivilege N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe N/A
Token: SeShutdownPrivilege N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe N/A
Token: SeDebugPrivilege N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe N/A
Token: SeUndockPrivilege N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe N/A
Token: SeManageVolumePrivilege N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe N/A
Token: SeImpersonatePrivilege N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe N/A
Token: 33 N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe N/A
Token: 34 N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe N/A
Token: 35 N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe N/A
Token: 36 N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files\Internet Explorer\iexplore.exe N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A
N/A N/A C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3492 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118Srv.exe
PID 3492 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118Srv.exe
PID 3492 wrote to memory of 3904 N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118Srv.exe
PID 3904 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 3904 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 3904 wrote to memory of 640 N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118Srv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 640 wrote to memory of 3048 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 640 wrote to memory of 3048 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 3492 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3492 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3492 wrote to memory of 1868 N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3492 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3492 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3492 wrote to memory of 4688 N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3492 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe C:\Windows\SysWOW64\notepad.exe
PID 3492 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe C:\Windows\SysWOW64\notepad.exe
PID 3492 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe C:\Windows\SysWOW64\notepad.exe
PID 3492 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe C:\Windows\SysWOW64\notepad.exe
PID 3492 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe C:\Windows\SysWOW64\notepad.exe
PID 3492 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe C:\Windows\SysWOW64\notepad.exe
PID 3492 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe C:\Windows\SysWOW64\notepad.exe
PID 3492 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe C:\Windows\SysWOW64\notepad.exe
PID 3492 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe C:\Windows\SysWOW64\notepad.exe
PID 3492 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe C:\Windows\SysWOW64\notepad.exe
PID 3492 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe C:\Windows\SysWOW64\notepad.exe
PID 3492 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe C:\Windows\SysWOW64\notepad.exe
PID 3492 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe C:\Windows\SysWOW64\notepad.exe
PID 3492 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe C:\Windows\SysWOW64\notepad.exe
PID 3492 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe C:\Windows\SysWOW64\notepad.exe
PID 3492 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe C:\Windows\SysWOW64\notepad.exe
PID 3492 wrote to memory of 4380 N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe C:\Windows\SysWOW64\notepad.exe
PID 3048 wrote to memory of 3616 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3048 wrote to memory of 3616 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 3048 wrote to memory of 3616 N/A C:\Program Files\Internet Explorer\iexplore.exe C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
PID 1868 wrote to memory of 2316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1868 wrote to memory of 2316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1868 wrote to memory of 2316 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4688 wrote to memory of 2768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4688 wrote to memory of 2768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 4688 wrote to memory of 2768 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3492 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe
PID 3492 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe
PID 3492 wrote to memory of 1812 N/A C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe
PID 1812 wrote to memory of 1196 N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcscSrv.exe
PID 1812 wrote to memory of 1196 N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcscSrv.exe
PID 1812 wrote to memory of 1196 N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcscSrv.exe
PID 1196 wrote to memory of 4628 N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcscSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 1196 wrote to memory of 4628 N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcscSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 1196 wrote to memory of 4628 N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcscSrv.exe C:\Program Files (x86)\Microsoft\DesktopLayer.exe
PID 4628 wrote to memory of 1468 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 4628 wrote to memory of 1468 N/A C:\Program Files (x86)\Microsoft\DesktopLayer.exe C:\Program Files\Internet Explorer\iexplore.exe
PID 1812 wrote to memory of 696 N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe C:\Windows\SysWOW64\notepad.exe
PID 1812 wrote to memory of 696 N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe C:\Windows\SysWOW64\notepad.exe
PID 1812 wrote to memory of 696 N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe C:\Windows\SysWOW64\notepad.exe
PID 1812 wrote to memory of 696 N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe C:\Windows\SysWOW64\notepad.exe
PID 1812 wrote to memory of 696 N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe C:\Windows\SysWOW64\notepad.exe
PID 1812 wrote to memory of 696 N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe C:\Windows\SysWOW64\notepad.exe
PID 1812 wrote to memory of 696 N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe C:\Windows\SysWOW64\notepad.exe
PID 1812 wrote to memory of 696 N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe C:\Windows\SysWOW64\notepad.exe
PID 1812 wrote to memory of 696 N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe C:\Windows\SysWOW64\notepad.exe
PID 1812 wrote to memory of 696 N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe C:\Windows\SysWOW64\notepad.exe
PID 1812 wrote to memory of 696 N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe C:\Windows\SysWOW64\notepad.exe
PID 1812 wrote to memory of 696 N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe C:\Windows\SysWOW64\notepad.exe
PID 1812 wrote to memory of 696 N/A C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe C:\Windows\SysWOW64\notepad.exe

System policy modification

evasion
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe N/A

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118Srv.exe

C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118Srv.exe

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe" +s +h

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3048 CREDAT:17410 /prefetch:2

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Users\Admin\AppData\Local\Temp" +s +h

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe

"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe"

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcscSrv.exe

"C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcscSrv.exe"

C:\Program Files (x86)\Microsoft\DesktopLayer.exe

"C:\Program Files (x86)\Microsoft\DesktopLayer.exe"

C:\Program Files\Internet Explorer\iexplore.exe

"C:\Program Files\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\notepad.exe

notepad

C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE

"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:3048 CREDAT:17414 /prefetch:2

Network

Country Destination Domain Proto
US 8.8.8.8:53 api.bing.com udp
US 8.8.8.8:53 bibl12345.ddns.net udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
NL 23.62.61.194:443 www.bing.com tcp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 249.197.17.2.in-addr.arpa udp
US 8.8.8.8:53 43.58.199.20.in-addr.arpa udp
US 8.8.8.8:53 194.61.62.23.in-addr.arpa udp
US 8.8.8.8:53 bibl12345.ddns.net udp
US 8.8.8.8:53 bibl12345.ddns.net udp
US 8.8.8.8:53 bibl12345.ddns.net udp
US 8.8.8.8:53 bibl12345.ddns.net udp
US 8.8.8.8:53 bibl12345.ddns.net udp
US 8.8.8.8:53 bibl12345.ddns.net udp
US 8.8.8.8:53 161.19.199.152.in-addr.arpa udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 206.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 65.139.73.23.in-addr.arpa udp
US 8.8.8.8:53 bibl12345.ddns.net udp
US 8.8.8.8:53 bibl12345.ddns.net udp
US 8.8.8.8:53 bibl12345.ddns.net udp
US 8.8.8.8:53 bibl12345.ddns.net udp
US 8.8.8.8:53 bibl12345.ddns.net udp
US 8.8.8.8:53 bibl12345.ddns.net udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 204.79.197.200:443 ieonline.microsoft.com tcp
US 8.8.8.8:53 bibl12345.ddns.net udp
US 8.8.8.8:53 200.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 bibl12345.ddns.net udp
US 8.8.8.8:53 bibl12345.ddns.net udp
US 8.8.8.8:53 bibl12345.ddns.net udp
US 8.8.8.8:53 bibl12345.ddns.net udp
US 8.8.8.8:53 14.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 bibl12345.ddns.net udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 bibl12345.ddns.net udp
US 8.8.8.8:53 bibl12345.ddns.net udp
US 8.8.8.8:53 bibl12345.ddns.net udp
US 8.8.8.8:53 bibl12345.ddns.net udp
US 8.8.8.8:53 bibl12345.ddns.net udp
US 8.8.8.8:53 bibl12345.ddns.net udp
US 8.8.8.8:53 bibl12345.ddns.net udp
US 8.8.8.8:53 bibl12345.ddns.net udp
US 8.8.8.8:53 bibl12345.ddns.net udp
US 8.8.8.8:53 bibl12345.ddns.net udp
US 8.8.8.8:53 bibl12345.ddns.net udp

Files

memory/3492-0-0x0000000000400000-0x00000000004C6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\a7495ebd5b117c20f373a1769534470a_JaffaCakes118Srv.exe

MD5 ff5e1f27193ce51eec318714ef038bef
SHA1 b4fa74a6f4dab3a7ba702b6c8c129f889db32ca6
SHA256 fd6c69c345f1e32924f0a5bb7393e191b393a78d58e2c6413b03ced7482f2320
SHA512 c9d654ead35f40eea484a3dc5b5d0a44294b9e7b41a9bacdafdd463d3de9daa2a43237a5f113f6a9c8ea5e1366823fd3d83da18cd8197aa69a55e9f345512a7a

memory/3904-9-0x0000000000400000-0x000000000042E000-memory.dmp

memory/640-13-0x00000000004A0000-0x00000000004A1000-memory.dmp

memory/640-14-0x0000000000400000-0x000000000042E000-memory.dmp

memory/640-16-0x0000000000400000-0x000000000042E000-memory.dmp

memory/3904-7-0x0000000002040000-0x000000000204F000-memory.dmp

memory/3904-4-0x0000000000400000-0x000000000042E000-memory.dmp

memory/3492-5-0x0000000000AE0000-0x0000000000AE1000-memory.dmp

memory/4380-20-0x00000000008B0000-0x00000000008B1000-memory.dmp

C:\ProgramData\Microsoft\Windows\Start Menu\Programs\MSDCSC\msdcsc.exe

MD5 a7495ebd5b117c20f373a1769534470a
SHA1 2fa33f0113d280d0aaa73e94e79a4c02fa78e788
SHA256 46b620f55c618725f4bbf2889e0427d819804ec89263efb836e800118160d940
SHA512 363385c5726ad38918e5769c668feb4cf4e42f8a6dab847f25d452c56d92d1934f2573b3a1026098fd0c67c995be6967ef3e73ce2639ded00636e30ed1d546d9

memory/1812-78-0x0000000000400000-0x00000000004C6000-memory.dmp

memory/1196-85-0x0000000000400000-0x000000000042E000-memory.dmp

memory/4628-90-0x0000000000590000-0x0000000000591000-memory.dmp

memory/696-91-0x0000000000E40000-0x0000000000E41000-memory.dmp

memory/3492-94-0x0000000000400000-0x00000000004C6000-memory.dmp

memory/1812-96-0x0000000000400000-0x00000000004C6000-memory.dmp

memory/1812-97-0x0000000000400000-0x00000000004C6000-memory.dmp

memory/1812-98-0x0000000000400000-0x00000000004C6000-memory.dmp

memory/1812-103-0x0000000000400000-0x00000000004C6000-memory.dmp

memory/1812-104-0x0000000000400000-0x00000000004C6000-memory.dmp

memory/1812-105-0x0000000000400000-0x00000000004C6000-memory.dmp

memory/1812-106-0x0000000000400000-0x00000000004C6000-memory.dmp

memory/1812-107-0x0000000000400000-0x00000000004C6000-memory.dmp

C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\0K2PF59Z\suggestions[1].en-US

MD5 5a34cb996293fde2cb7a4ac89587393a
SHA1 3c96c993500690d1a77873cd62bc639b3a10653f
SHA256 c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512 e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

memory/1812-115-0x0000000000400000-0x00000000004C6000-memory.dmp

memory/1812-116-0x0000000000400000-0x00000000004C6000-memory.dmp

memory/1812-117-0x0000000000400000-0x00000000004C6000-memory.dmp

memory/1812-118-0x0000000000400000-0x00000000004C6000-memory.dmp

memory/1812-119-0x0000000000400000-0x00000000004C6000-memory.dmp

memory/1812-120-0x0000000000400000-0x00000000004C6000-memory.dmp

memory/1812-121-0x0000000000400000-0x00000000004C6000-memory.dmp