Malware Analysis Report

2024-08-06 19:01

Sample ID 240614-pzhehsvdpp
Target a9be95d3b8409da23bc493a030103339_JaffaCakes118
SHA256 a43fd8a06c2276a5e95b7de56722b50229dbae0240f910e41dc61648a1cb1a70
Tags
darkcomet micro11 persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

a43fd8a06c2276a5e95b7de56722b50229dbae0240f910e41dc61648a1cb1a70

Threat Level: Known bad

The file a9be95d3b8409da23bc493a030103339_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

darkcomet micro11 persistence rat trojan

Modifies WinLogon for persistence

Darkcomet

Checks computer location settings

Executes dropped EXE

Loads dropped DLL

Adds Run key to start application

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Winlogon Helper DLL
T1547.004
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Winlogon Helper DLL
T1547.004
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-14 12:45

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-14 12:45

Reported

2024-06-14 12:48

Platform

win7-20240611-en

Max time kernel

150s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a9be95d3b8409da23bc493a030103339_JaffaCakes118.exe"

Signatures

Darkcomet

trojan rat darkcomet

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" C:\Users\Admin\AppData\Local\Temp\Hover.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Hover.sfx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Hover.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Windows\Hover.sfx.exe N/A
N/A N/A C:\Windows\Hover.sfx.exe N/A
N/A N/A C:\Windows\Hover.sfx.exe N/A
N/A N/A C:\Windows\Hover.sfx.exe N/A
N/A N/A C:\Windows\Hover.sfx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Hover.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Hover.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" C:\Users\Admin\AppData\Local\Temp\Hover.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\__tmp_rar_sfx_access_check_259399710 C:\Users\Admin\AppData\Local\Temp\a9be95d3b8409da23bc493a030103339_JaffaCakes118.exe N/A
File created C:\Windows\Hover2.bat C:\Users\Admin\AppData\Local\Temp\a9be95d3b8409da23bc493a030103339_JaffaCakes118.exe N/A
File opened for modification C:\Windows\Hover2.bat C:\Users\Admin\AppData\Local\Temp\a9be95d3b8409da23bc493a030103339_JaffaCakes118.exe N/A
File created C:\Windows\Hover.sfx.exe C:\Users\Admin\AppData\Local\Temp\a9be95d3b8409da23bc493a030103339_JaffaCakes118.exe N/A
File opened for modification C:\Windows\Hover.sfx.exe C:\Users\Admin\AppData\Local\Temp\a9be95d3b8409da23bc493a030103339_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Hover.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Hover.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Hover.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Hover.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Hover.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Hover.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Hover.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Hover.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Hover.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Hover.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Hover.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Hover.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Hover.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Hover.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Hover.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Hover.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Hover.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Hover.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Hover.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Hover.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Hover.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\Hover.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\Hover.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2944 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\a9be95d3b8409da23bc493a030103339_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2944 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\a9be95d3b8409da23bc493a030103339_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2944 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\a9be95d3b8409da23bc493a030103339_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2944 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\a9be95d3b8409da23bc493a030103339_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2944 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\a9be95d3b8409da23bc493a030103339_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2944 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\a9be95d3b8409da23bc493a030103339_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2944 wrote to memory of 3040 N/A C:\Users\Admin\AppData\Local\Temp\a9be95d3b8409da23bc493a030103339_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 3040 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Hover.sfx.exe
PID 3040 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Hover.sfx.exe
PID 3040 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Hover.sfx.exe
PID 3040 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Hover.sfx.exe
PID 3040 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Hover.sfx.exe
PID 3040 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Hover.sfx.exe
PID 3040 wrote to memory of 2852 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Hover.sfx.exe
PID 2852 wrote to memory of 2992 N/A C:\Windows\Hover.sfx.exe C:\Users\Admin\AppData\Local\Temp\Hover.exe
PID 2852 wrote to memory of 2992 N/A C:\Windows\Hover.sfx.exe C:\Users\Admin\AppData\Local\Temp\Hover.exe
PID 2852 wrote to memory of 2992 N/A C:\Windows\Hover.sfx.exe C:\Users\Admin\AppData\Local\Temp\Hover.exe
PID 2852 wrote to memory of 2992 N/A C:\Windows\Hover.sfx.exe C:\Users\Admin\AppData\Local\Temp\Hover.exe
PID 2992 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\Hover.exe C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
PID 2992 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\Hover.exe C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
PID 2992 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\Hover.exe C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
PID 2992 wrote to memory of 3068 N/A C:\Users\Admin\AppData\Local\Temp\Hover.exe C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a9be95d3b8409da23bc493a030103339_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a9be95d3b8409da23bc493a030103339_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Windows\Hover2.bat" "

C:\Windows\Hover.sfx.exe

Hover.sfx.exe -p8463 dC:\Users\Admin\AppData\Local\Temp

C:\Users\Admin\AppData\Local\Temp\Hover.exe

"C:\Users\Admin\AppData\Local\Temp\Hover.exe"

C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe

"C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 hover22.hopto.org udp

Files

C:\Windows\Hover2.bat

MD5 fac20164d4aaef9d7ee53bc415e6a25b
SHA1 02268f1d6e11f9696b02910fa5501997d7424ebf
SHA256 b9e4b7776215f446a0bc40a1891342ec1dca6a3cb4118102088d024b94529a8c
SHA512 4763e9c978a9826a9fbd402521c8732a8b0f052a45e70a2427e1a6f38744fabd94f7ae42ee5aadc9e28a61ccd144045a760f66ad86c864c70f5d1ed6aadfcec2

C:\Windows\Hover.sfx.exe

MD5 1b869cada07bd754b969e4b55b9d9772
SHA1 de96ce73a47aa434584858a9723971488dcaef13
SHA256 cfcef1af7a0c7e0f0e7d197d013bedc4a13438097649a21c145414991a6bfbcf
SHA512 66ff4d621b1a576a1afebd9d149385d370de5aac3886cab46c7ccac3d4a713c7d6ecbcba19b73c3dc8e4d213d8212b10c4a88bf945e957aea25927b2ab9fab9a

\Users\Admin\AppData\Local\Temp\Hover.exe

MD5 930cccff8538c66463258f7fa5c878d1
SHA1 abaf26e193764fa22f14f42b02a729dc06f45772
SHA256 d5f819edfcb2759cc8de38492d15cba5c3ec737d65603191248ae03c98866f08
SHA512 c433c05395010fa56a7fc78ea4b15803ae3d4e5004b12eb3e32a14a692177e75db3d677121d0edf7278c1581fb1bd6e5f50093f470f227aff6b8057ce9db5e77

memory/2992-50-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3068-51-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3068-52-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3068-53-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3068-54-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3068-55-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3068-56-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3068-57-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3068-58-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3068-59-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3068-60-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3068-61-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3068-62-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3068-63-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/3068-64-0x0000000000400000-0x00000000004B2000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-14 12:45

Reported

2024-06-14 12:48

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\a9be95d3b8409da23bc493a030103339_JaffaCakes118.exe"

Signatures

Darkcomet

trojan rat darkcomet

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" C:\Users\Admin\AppData\Local\Temp\Hover.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\a9be95d3b8409da23bc493a030103339_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Windows\Hover.sfx.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\Hover.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Hover.sfx.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\Hover.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" C:\Users\Admin\AppData\Local\Temp\Hover.exe N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\__tmp_rar_sfx_access_check_240603250 C:\Users\Admin\AppData\Local\Temp\a9be95d3b8409da23bc493a030103339_JaffaCakes118.exe N/A
File created C:\Windows\Hover2.bat C:\Users\Admin\AppData\Local\Temp\a9be95d3b8409da23bc493a030103339_JaffaCakes118.exe N/A
File opened for modification C:\Windows\Hover2.bat C:\Users\Admin\AppData\Local\Temp\a9be95d3b8409da23bc493a030103339_JaffaCakes118.exe N/A
File created C:\Windows\Hover.sfx.exe C:\Users\Admin\AppData\Local\Temp\a9be95d3b8409da23bc493a030103339_JaffaCakes118.exe N/A
File opened for modification C:\Windows\Hover.sfx.exe C:\Users\Admin\AppData\Local\Temp\a9be95d3b8409da23bc493a030103339_JaffaCakes118.exe N/A

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Hover.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Hover.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Hover.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Hover.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Hover.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Hover.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Hover.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Hover.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Hover.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Hover.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Hover.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Hover.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Hover.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Hover.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Hover.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Hover.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Hover.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Hover.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\Hover.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\Hover.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\Hover.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\Hover.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\Hover.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\Hover.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2944 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\a9be95d3b8409da23bc493a030103339_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2944 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\a9be95d3b8409da23bc493a030103339_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2944 wrote to memory of 1332 N/A C:\Users\Admin\AppData\Local\Temp\a9be95d3b8409da23bc493a030103339_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1332 wrote to memory of 3776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Hover.sfx.exe
PID 1332 wrote to memory of 3776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Hover.sfx.exe
PID 1332 wrote to memory of 3776 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\Hover.sfx.exe
PID 3776 wrote to memory of 1212 N/A C:\Windows\Hover.sfx.exe C:\Users\Admin\AppData\Local\Temp\Hover.exe
PID 3776 wrote to memory of 1212 N/A C:\Windows\Hover.sfx.exe C:\Users\Admin\AppData\Local\Temp\Hover.exe
PID 3776 wrote to memory of 1212 N/A C:\Windows\Hover.sfx.exe C:\Users\Admin\AppData\Local\Temp\Hover.exe
PID 1212 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\Hover.exe C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
PID 1212 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\Hover.exe C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
PID 1212 wrote to memory of 4568 N/A C:\Users\Admin\AppData\Local\Temp\Hover.exe C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\a9be95d3b8409da23bc493a030103339_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\a9be95d3b8409da23bc493a030103339_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Windows\Hover2.bat" "

C:\Windows\Hover.sfx.exe

Hover.sfx.exe -p8463 dC:\Users\Admin\AppData\Local\Temp

C:\Users\Admin\AppData\Local\Temp\Hover.exe

"C:\Users\Admin\AppData\Local\Temp\Hover.exe"

C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe

"C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 hover22.hopto.org udp
US 8.8.8.8:53 hover22.hopto.org udp
US 8.8.8.8:53 hover22.hopto.org udp
US 8.8.8.8:53 hover22.hopto.org udp
US 8.8.8.8:53 hover22.hopto.org udp
US 8.8.8.8:53 hover22.hopto.org udp
US 8.8.8.8:53 hover22.hopto.org udp
US 8.8.8.8:53 hover22.hopto.org udp
US 8.8.8.8:53 hover22.hopto.org udp
US 8.8.8.8:53 hover22.hopto.org udp
US 8.8.8.8:53 hover22.hopto.org udp
US 8.8.8.8:53 hover22.hopto.org udp
US 8.8.8.8:53 hover22.hopto.org udp

Files

C:\Windows\Hover2.bat

MD5 fac20164d4aaef9d7ee53bc415e6a25b
SHA1 02268f1d6e11f9696b02910fa5501997d7424ebf
SHA256 b9e4b7776215f446a0bc40a1891342ec1dca6a3cb4118102088d024b94529a8c
SHA512 4763e9c978a9826a9fbd402521c8732a8b0f052a45e70a2427e1a6f38744fabd94f7ae42ee5aadc9e28a61ccd144045a760f66ad86c864c70f5d1ed6aadfcec2

C:\Windows\Hover.sfx.exe

MD5 1b869cada07bd754b969e4b55b9d9772
SHA1 de96ce73a47aa434584858a9723971488dcaef13
SHA256 cfcef1af7a0c7e0f0e7d197d013bedc4a13438097649a21c145414991a6bfbcf
SHA512 66ff4d621b1a576a1afebd9d149385d370de5aac3886cab46c7ccac3d4a713c7d6ecbcba19b73c3dc8e4d213d8212b10c4a88bf945e957aea25927b2ab9fab9a

C:\Users\Admin\AppData\Local\Temp\Hover.exe

MD5 930cccff8538c66463258f7fa5c878d1
SHA1 abaf26e193764fa22f14f42b02a729dc06f45772
SHA256 d5f819edfcb2759cc8de38492d15cba5c3ec737d65603191248ae03c98866f08
SHA512 c433c05395010fa56a7fc78ea4b15803ae3d4e5004b12eb3e32a14a692177e75db3d677121d0edf7278c1581fb1bd6e5f50093f470f227aff6b8057ce9db5e77

memory/1212-34-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/4568-35-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/4568-36-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/4568-37-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/4568-38-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/4568-39-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/4568-40-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/4568-41-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/4568-42-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/4568-43-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/4568-44-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/4568-45-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/4568-46-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/4568-47-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/4568-48-0x0000000000400000-0x00000000004B2000-memory.dmp