Malware Analysis Report

2024-08-06 18:55

Sample ID 240620-hr38pazaqn
Target 03d6a067416e684cba893542c4ff1094_JaffaCakes118
SHA256 5ab8d01b8144e70ab1e5720ec8e672695068439c8e65b7bd884944117aa00e40
Tags
darkcomet modiloader bootkit persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

5ab8d01b8144e70ab1e5720ec8e672695068439c8e65b7bd884944117aa00e40

Threat Level: Known bad

The file 03d6a067416e684cba893542c4ff1094_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

darkcomet modiloader bootkit persistence rat trojan

Darkcomet

Modifies WinLogon for persistence

ModiLoader, DBatLoader

ModiLoader Second Stage

Loads dropped DLL

Checks computer location settings

Executes dropped EXE

Adds Run key to start application

Writes to the Master Boot Record (MBR)

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Suspicious use of SetWindowsHookEx

Runs ping.exe

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Winlogon Helper DLL
T1547.004
Pre-OS Boot
T1542
Bootkit
T1542.003
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Winlogon Helper DLL
T1547.004
Defense Evasion
TA0005
Modify Registry
T1112
Pre-OS Boot
T1542
Bootkit
T1542.003
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Remote System Discovery
T1018
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-06-20 06:59

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-20 06:59

Reported

2024-06-20 07:01

Platform

win7-20240508-en

Max time kernel

149s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe"

Signatures

Darkcomet

trojan rat darkcomet

ModiLoader, DBatLoader

trojan modiloader

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe N/A

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d48z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d48z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d48z.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\met start.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\met start.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\met start.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Loads dropped DLL

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d48z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d48z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d48z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d48z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\met start.exe\"" C:\Users\Admin\AppData\Local\Temp\d48z.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\met start.exe\"" C:\Users\Admin\AppData\Roaming\met start.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Roaming\met start.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\d48z.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2716 set thread context of 1704 N/A C:\Users\Admin\AppData\Local\Temp\03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe
PID 2736 set thread context of 2680 N/A C:\Users\Admin\AppData\Local\Temp\d48z.exe C:\Users\Admin\AppData\Local\Temp\d48z.exe
PID 2680 set thread context of 2524 N/A C:\Users\Admin\AppData\Local\Temp\d48z.exe C:\Users\Admin\AppData\Local\Temp\d48z.exe
PID 2128 set thread context of 2952 N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe
PID 2952 set thread context of 2428 N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe
PID 2592 set thread context of 628 N/A C:\Users\Admin\AppData\Roaming\met start.exe C:\Users\Admin\AppData\Roaming\met start.exe
PID 628 set thread context of 1308 N/A C:\Users\Admin\AppData\Roaming\met start.exe C:\Users\Admin\AppData\Roaming\met start.exe
PID 2840 set thread context of 540 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 540 set thread context of 1484 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Users\Admin\AppData\Roaming\svchost.exe

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d48z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d48z.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\met start.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\met start.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2716 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe
PID 2716 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe
PID 2716 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe
PID 2716 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe
PID 2716 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe
PID 2716 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe
PID 2716 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe
PID 2716 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe
PID 2716 wrote to memory of 1704 N/A C:\Users\Admin\AppData\Local\Temp\03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe
PID 1704 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe
PID 1704 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe
PID 1704 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe
PID 1704 wrote to memory of 2128 N/A C:\Users\Admin\AppData\Local\Temp\03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe
PID 1704 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d48z.exe
PID 1704 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d48z.exe
PID 1704 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d48z.exe
PID 1704 wrote to memory of 2736 N/A C:\Users\Admin\AppData\Local\Temp\03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d48z.exe
PID 2736 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\d48z.exe C:\Users\Admin\AppData\Local\Temp\d48z.exe
PID 2736 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\d48z.exe C:\Users\Admin\AppData\Local\Temp\d48z.exe
PID 2736 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\d48z.exe C:\Users\Admin\AppData\Local\Temp\d48z.exe
PID 2736 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\d48z.exe C:\Users\Admin\AppData\Local\Temp\d48z.exe
PID 2736 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\d48z.exe C:\Users\Admin\AppData\Local\Temp\d48z.exe
PID 2736 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\d48z.exe C:\Users\Admin\AppData\Local\Temp\d48z.exe
PID 2736 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\d48z.exe C:\Users\Admin\AppData\Local\Temp\d48z.exe
PID 2736 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\d48z.exe C:\Users\Admin\AppData\Local\Temp\d48z.exe
PID 2736 wrote to memory of 2680 N/A C:\Users\Admin\AppData\Local\Temp\d48z.exe C:\Users\Admin\AppData\Local\Temp\d48z.exe
PID 2680 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\d48z.exe C:\Users\Admin\AppData\Local\Temp\d48z.exe
PID 2680 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\d48z.exe C:\Users\Admin\AppData\Local\Temp\d48z.exe
PID 2680 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\d48z.exe C:\Users\Admin\AppData\Local\Temp\d48z.exe
PID 2680 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\d48z.exe C:\Users\Admin\AppData\Local\Temp\d48z.exe
PID 2680 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\d48z.exe C:\Users\Admin\AppData\Local\Temp\d48z.exe
PID 2680 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\d48z.exe C:\Users\Admin\AppData\Local\Temp\d48z.exe
PID 2680 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\d48z.exe C:\Users\Admin\AppData\Local\Temp\d48z.exe
PID 2680 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\d48z.exe C:\Users\Admin\AppData\Local\Temp\d48z.exe
PID 2680 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\d48z.exe C:\Users\Admin\AppData\Local\Temp\d48z.exe
PID 2680 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\d48z.exe C:\Users\Admin\AppData\Local\Temp\d48z.exe
PID 2680 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\d48z.exe C:\Users\Admin\AppData\Local\Temp\d48z.exe
PID 2680 wrote to memory of 2524 N/A C:\Users\Admin\AppData\Local\Temp\d48z.exe C:\Users\Admin\AppData\Local\Temp\d48z.exe
PID 2128 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe
PID 2128 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe
PID 2128 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe
PID 2128 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe
PID 2524 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\d48z.exe C:\Users\Admin\AppData\Roaming\met start.exe
PID 2524 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\d48z.exe C:\Users\Admin\AppData\Roaming\met start.exe
PID 2524 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\d48z.exe C:\Users\Admin\AppData\Roaming\met start.exe
PID 2524 wrote to memory of 2592 N/A C:\Users\Admin\AppData\Local\Temp\d48z.exe C:\Users\Admin\AppData\Roaming\met start.exe
PID 2128 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe
PID 2128 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe
PID 2128 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe
PID 2128 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe
PID 2128 wrote to memory of 2952 N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe
PID 2952 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe
PID 2952 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe
PID 2952 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe
PID 2952 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe
PID 2952 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe
PID 2952 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe
PID 2952 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe
PID 2952 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe
PID 2952 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe
PID 2952 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe
PID 2952 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe
PID 2952 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe
PID 2952 wrote to memory of 2428 N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe

Processes

C:\Users\Admin\AppData\Local\Temp\03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe

"C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe"

C:\Users\Admin\AppData\Local\Temp\d48z.exe

"C:\Users\Admin\AppData\Local\Temp\d48z.exe"

C:\Users\Admin\AppData\Local\Temp\d48z.exe

"C:\Users\Admin\AppData\Local\Temp\d48z.exe"

C:\Users\Admin\AppData\Local\Temp\d48z.exe

"C:\Users\Admin\AppData\Local\Temp\d48z.exe"

C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe

"C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe"

C:\Users\Admin\AppData\Roaming\met start.exe

"C:\Users\Admin\AppData\Roaming\met start.exe"

C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe

"C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe"

C:\Users\Admin\AppData\Roaming\met start.exe

"C:\Users\Admin\AppData\Roaming\met start.exe"

C:\Users\Admin\AppData\Roaming\met start.exe

"C:\Users\Admin\AppData\Roaming\met start.exe"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 5

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 zerohaxor1.no-ip.org udp
US 8.8.8.8:53 zerohaxor1.no-ip.org udp
US 8.8.8.8:53 zerohaxor1.no-ip.org udp
US 8.8.8.8:53 zerohaxor1.no-ip.org udp
US 8.8.8.8:53 zerohaxor1.no-ip.org udp
US 8.8.8.8:53 zerohaxor1.no-ip.org udp
US 8.8.8.8:53 zerohaxor1.no-ip.org udp
US 8.8.8.8:53 zerohaxor1.no-ip.org udp
US 8.8.8.8:53 zerohaxor1.no-ip.org udp
US 8.8.8.8:53 zerohaxor1.no-ip.org udp
US 8.8.8.8:53 zerohaxor1.no-ip.org udp
US 8.8.8.8:53 zerohaxor1.no-ip.org udp
US 8.8.8.8:53 zerohaxor1.no-ip.org udp
US 8.8.8.8:53 zerohaxor1.no-ip.org udp
US 8.8.8.8:53 zerohaxor1.no-ip.org udp
US 8.8.8.8:53 zerohaxor1.no-ip.org udp
US 8.8.8.8:53 zerohaxor1.no-ip.org udp
US 8.8.8.8:53 zerohaxor1.no-ip.org udp
US 8.8.8.8:53 zerohaxor1.no-ip.org udp
US 8.8.8.8:53 zerohaxor1.no-ip.org udp

Files

memory/2716-0-0x0000000000400000-0x0000000000544000-memory.dmp

memory/1704-3-0x0000000000400000-0x000000000051D000-memory.dmp

memory/1704-7-0x0000000000400000-0x000000000051D000-memory.dmp

memory/1704-13-0x0000000000400000-0x000000000051D000-memory.dmp

memory/1704-15-0x0000000000400000-0x000000000051D000-memory.dmp

memory/1704-11-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/1704-5-0x0000000000400000-0x000000000051D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d48z.exe

MD5 c7e2e7f78d3176794bfd37c571552c5d
SHA1 5ade0c1a932080dc28982e9ac751ef40a819bfab
SHA256 b148721896f9a0fbb6113e5c381dd2555dbbb37d72c780a6ca09b2639e20e876
SHA512 f0b9e1d64c5484cd1073c8cdf65f3c8921fe1588137137de0a3d3bcdb2818441fd0e2ddb7d8b189ef879b3303804438e615ed79398e2c5a8aa254d6428b9848a

memory/2736-36-0x0000000000400000-0x000000000043C000-memory.dmp

memory/1704-40-0x0000000000400000-0x000000000051D000-memory.dmp

memory/2128-37-0x0000000000400000-0x00000000004D5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe

MD5 dc11a2ac0e7fda0d531fcd4350b6b56f
SHA1 32bf2255a2397c4bae5e9250260ce9b2c2a901c4
SHA256 fb708bf5cb6e60a45fbe23446b723b79ca3b1720f567afca5c5cd57c07ccb23c
SHA512 a4a569fcdf977dd1e5b01416b69a04f53af190dd0d956f3ffca6101f8af62d8bc47052ede34f3ba395e683aeae3669e609a44812753e8d4818cf1eb1e0698e7f

memory/2680-60-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2680-56-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2680-50-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2680-48-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2680-46-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2524-83-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2524-82-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2680-91-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2524-101-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2952-113-0x0000000000400000-0x00000000004AE000-memory.dmp

memory/2952-108-0x0000000000400000-0x00000000004AE000-memory.dmp

memory/2952-106-0x0000000000400000-0x00000000004AE000-memory.dmp

memory/2952-105-0x0000000000400000-0x00000000004AE000-memory.dmp

memory/2524-88-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2524-80-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2524-76-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2524-74-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2524-72-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2524-70-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2524-68-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2524-66-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2524-64-0x0000000000400000-0x000000000040F000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-20 06:59

Reported

2024-06-20 07:01

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe"

Signatures

Darkcomet

trojan rat darkcomet

ModiLoader, DBatLoader

trojan modiloader

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe N/A

ModiLoader Second Stage

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe N/A
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\d48z.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d48z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d48z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d48z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\met start.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\met start.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\met start.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\met start.exe\"" C:\Users\Admin\AppData\Local\Temp\d48z.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "C:\\Users\\Admin\\AppData\\Roaming\\svchost.exe" C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\svchost = "\"C:\\Users\\Admin\\AppData\\Roaming\\met start.exe\"" C:\Users\Admin\AppData\Roaming\met start.exe N/A

Writes to the Master Boot Record (MBR)

bootkit persistence
Description Indicator Process Target
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Roaming\met start.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Roaming\svchost.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\d48z.exe N/A
File opened for modification \??\PhysicalDrive0 C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2496 set thread context of 2860 N/A C:\Users\Admin\AppData\Local\Temp\03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe
PID 976 set thread context of 2472 N/A C:\Users\Admin\AppData\Local\Temp\d48z.exe C:\Users\Admin\AppData\Local\Temp\d48z.exe
PID 2472 set thread context of 4232 N/A C:\Users\Admin\AppData\Local\Temp\d48z.exe C:\Users\Admin\AppData\Local\Temp\d48z.exe
PID 4820 set thread context of 2260 N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe
PID 2260 set thread context of 4940 N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe
PID 1948 set thread context of 1268 N/A C:\Users\Admin\AppData\Roaming\met start.exe C:\Users\Admin\AppData\Roaming\met start.exe
PID 1268 set thread context of 2516 N/A C:\Users\Admin\AppData\Roaming\met start.exe C:\Users\Admin\AppData\Roaming\met start.exe
PID 4560 set thread context of 3320 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 3320 set thread context of 2932 N/A C:\Users\Admin\AppData\Roaming\svchost.exe C:\Users\Admin\AppData\Roaming\svchost.exe

Enumerates physical storage devices

Runs ping.exe

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\PING.EXE N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d48z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\d48z.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\met start.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\met start.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2496 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe
PID 2496 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe
PID 2496 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe
PID 2496 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe
PID 2496 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe
PID 2496 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe
PID 2496 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe
PID 2496 wrote to memory of 2860 N/A C:\Users\Admin\AppData\Local\Temp\03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe
PID 2860 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe
PID 2860 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe
PID 2860 wrote to memory of 4820 N/A C:\Users\Admin\AppData\Local\Temp\03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe
PID 2860 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d48z.exe
PID 2860 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d48z.exe
PID 2860 wrote to memory of 976 N/A C:\Users\Admin\AppData\Local\Temp\03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\d48z.exe
PID 976 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\d48z.exe C:\Users\Admin\AppData\Local\Temp\d48z.exe
PID 976 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\d48z.exe C:\Users\Admin\AppData\Local\Temp\d48z.exe
PID 976 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\d48z.exe C:\Users\Admin\AppData\Local\Temp\d48z.exe
PID 976 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\d48z.exe C:\Users\Admin\AppData\Local\Temp\d48z.exe
PID 976 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\d48z.exe C:\Users\Admin\AppData\Local\Temp\d48z.exe
PID 976 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\d48z.exe C:\Users\Admin\AppData\Local\Temp\d48z.exe
PID 976 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\d48z.exe C:\Users\Admin\AppData\Local\Temp\d48z.exe
PID 976 wrote to memory of 2472 N/A C:\Users\Admin\AppData\Local\Temp\d48z.exe C:\Users\Admin\AppData\Local\Temp\d48z.exe
PID 2472 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\d48z.exe C:\Users\Admin\AppData\Local\Temp\d48z.exe
PID 2472 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\d48z.exe C:\Users\Admin\AppData\Local\Temp\d48z.exe
PID 2472 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\d48z.exe C:\Users\Admin\AppData\Local\Temp\d48z.exe
PID 2472 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\d48z.exe C:\Users\Admin\AppData\Local\Temp\d48z.exe
PID 2472 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\d48z.exe C:\Users\Admin\AppData\Local\Temp\d48z.exe
PID 2472 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\d48z.exe C:\Users\Admin\AppData\Local\Temp\d48z.exe
PID 2472 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\d48z.exe C:\Users\Admin\AppData\Local\Temp\d48z.exe
PID 2472 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\d48z.exe C:\Users\Admin\AppData\Local\Temp\d48z.exe
PID 2472 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\d48z.exe C:\Users\Admin\AppData\Local\Temp\d48z.exe
PID 2472 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\d48z.exe C:\Users\Admin\AppData\Local\Temp\d48z.exe
PID 2472 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\d48z.exe C:\Users\Admin\AppData\Local\Temp\d48z.exe
PID 2472 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\d48z.exe C:\Users\Admin\AppData\Local\Temp\d48z.exe
PID 2472 wrote to memory of 4232 N/A C:\Users\Admin\AppData\Local\Temp\d48z.exe C:\Users\Admin\AppData\Local\Temp\d48z.exe
PID 4820 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe
PID 4820 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe
PID 4820 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe
PID 4820 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe
PID 4820 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe
PID 4820 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe
PID 4820 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe
PID 4820 wrote to memory of 2260 N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe
PID 2260 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe
PID 2260 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe
PID 2260 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe
PID 2260 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe
PID 2260 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe
PID 2260 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe
PID 2260 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe
PID 2260 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe
PID 2260 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe
PID 2260 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe
PID 2260 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe
PID 2260 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe
PID 2260 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe
PID 2260 wrote to memory of 4940 N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe
PID 4232 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\d48z.exe C:\Users\Admin\AppData\Roaming\met start.exe
PID 4232 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\d48z.exe C:\Users\Admin\AppData\Roaming\met start.exe
PID 4232 wrote to memory of 1948 N/A C:\Users\Admin\AppData\Local\Temp\d48z.exe C:\Users\Admin\AppData\Roaming\met start.exe
PID 4940 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 4940 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 4940 wrote to memory of 4560 N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe C:\Users\Admin\AppData\Roaming\svchost.exe
PID 4940 wrote to memory of 3032 N/A C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe C:\Windows\SysWOW64\cmd.exe

Processes

C:\Users\Admin\AppData\Local\Temp\03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\03d6a067416e684cba893542c4ff1094_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe

"C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe"

C:\Users\Admin\AppData\Local\Temp\d48z.exe

"C:\Users\Admin\AppData\Local\Temp\d48z.exe"

C:\Users\Admin\AppData\Local\Temp\d48z.exe

"C:\Users\Admin\AppData\Local\Temp\d48z.exe"

C:\Users\Admin\AppData\Local\Temp\d48z.exe

"C:\Users\Admin\AppData\Local\Temp\d48z.exe"

C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe

"C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe"

C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe

"C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe"

C:\Users\Admin\AppData\Roaming\met start.exe

"C:\Users\Admin\AppData\Roaming\met start.exe"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 5 > NUL&del "C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe"

C:\Users\Admin\AppData\Roaming\met start.exe

"C:\Users\Admin\AppData\Roaming\met start.exe"

C:\Users\Admin\AppData\Roaming\met start.exe

"C:\Users\Admin\AppData\Roaming\met start.exe"

C:\Windows\SysWOW64\PING.EXE

ping 127.0.0.1 -n 5

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

C:\Users\Admin\AppData\Roaming\svchost.exe

"C:\Users\Admin\AppData\Roaming\svchost.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 zerohaxor1.no-ip.org udp
US 8.8.8.8:53 zerohaxor1.no-ip.org udp
US 8.8.8.8:53 zerohaxor1.no-ip.org udp
US 8.8.8.8:53 zerohaxor1.no-ip.org udp
US 8.8.8.8:53 zerohaxor1.no-ip.org udp
US 8.8.8.8:53 zerohaxor1.no-ip.org udp
US 8.8.8.8:53 zerohaxor1.no-ip.org udp
US 8.8.8.8:53 zerohaxor1.no-ip.org udp
US 8.8.8.8:53 zerohaxor1.no-ip.org udp
US 8.8.8.8:53 zerohaxor1.no-ip.org udp
US 8.8.8.8:53 zerohaxor1.no-ip.org udp
US 8.8.8.8:53 zerohaxor1.no-ip.org udp

Files

memory/2496-0-0x0000000000400000-0x0000000000544000-memory.dmp

memory/2860-3-0x0000000000400000-0x000000000051D000-memory.dmp

memory/2860-5-0x0000000000400000-0x000000000051D000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\darkcrypted.exe

MD5 dc11a2ac0e7fda0d531fcd4350b6b56f
SHA1 32bf2255a2397c4bae5e9250260ce9b2c2a901c4
SHA256 fb708bf5cb6e60a45fbe23446b723b79ca3b1720f567afca5c5cd57c07ccb23c
SHA512 a4a569fcdf977dd1e5b01416b69a04f53af190dd0d956f3ffca6101f8af62d8bc47052ede34f3ba395e683aeae3669e609a44812753e8d4818cf1eb1e0698e7f

memory/4820-20-0x0000000000400000-0x00000000004D5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\d48z.exe

MD5 c7e2e7f78d3176794bfd37c571552c5d
SHA1 5ade0c1a932080dc28982e9ac751ef40a819bfab
SHA256 b148721896f9a0fbb6113e5c381dd2555dbbb37d72c780a6ca09b2639e20e876
SHA512 f0b9e1d64c5484cd1073c8cdf65f3c8921fe1588137137de0a3d3bcdb2818441fd0e2ddb7d8b189ef879b3303804438e615ed79398e2c5a8aa254d6428b9848a

memory/976-31-0x0000000000400000-0x000000000043C000-memory.dmp

memory/2860-38-0x0000000000400000-0x000000000051D000-memory.dmp

memory/2472-42-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2472-39-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2260-48-0x0000000000400000-0x00000000004AE000-memory.dmp

memory/4232-47-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2472-58-0x0000000000400000-0x0000000000415000-memory.dmp

memory/4940-61-0x0000000000400000-0x00000000004B3000-memory.dmp

memory/4940-63-0x0000000000400000-0x00000000004B3000-memory.dmp

memory/2260-55-0x0000000000400000-0x00000000004AE000-memory.dmp

memory/4232-50-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2260-66-0x0000000000400000-0x00000000004AE000-memory.dmp

memory/4232-53-0x0000000000400000-0x000000000040F000-memory.dmp

memory/4232-45-0x0000000000400000-0x000000000040F000-memory.dmp

memory/1948-78-0x0000000000400000-0x000000000043C000-memory.dmp

memory/4232-81-0x0000000000400000-0x000000000040F000-memory.dmp

memory/4560-95-0x0000000000400000-0x00000000004D5000-memory.dmp

memory/4940-98-0x0000000000400000-0x00000000004B3000-memory.dmp

memory/1268-102-0x0000000000400000-0x0000000000415000-memory.dmp

memory/2516-107-0x0000000000400000-0x000000000040F000-memory.dmp

memory/1268-108-0x0000000000400000-0x0000000000415000-memory.dmp

memory/3320-112-0x0000000000400000-0x00000000004AE000-memory.dmp

memory/2932-117-0x0000000000400000-0x00000000004B3000-memory.dmp

memory/2932-119-0x0000000000400000-0x00000000004B3000-memory.dmp

memory/2932-118-0x0000000000400000-0x00000000004B3000-memory.dmp

memory/2516-120-0x0000000000400000-0x000000000040F000-memory.dmp

memory/2932-122-0x0000000000400000-0x00000000004B3000-memory.dmp

memory/3320-121-0x0000000000400000-0x00000000004AE000-memory.dmp

memory/2932-125-0x0000000000400000-0x00000000004B3000-memory.dmp

memory/2932-128-0x0000000000400000-0x00000000004B3000-memory.dmp

memory/2932-131-0x0000000000400000-0x00000000004B3000-memory.dmp

memory/2932-134-0x0000000000400000-0x00000000004B3000-memory.dmp

memory/2932-137-0x0000000000400000-0x00000000004B3000-memory.dmp

memory/2932-140-0x0000000000400000-0x00000000004B3000-memory.dmp