darkcomet | ebb8382d407d4209132f5a7578fb823e3aceb365e31f63d2782d490cfc90777b

General

Target

06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exe
Size

333KB
MD5

06cfe3577f5346a9ddcbf8ad52ea9683
SHA1

2c303ac725fe2573839d20ac2b6802e4a0e67ca6
SHA256

ebb8382d407d4209132f5a7578fb823e3aceb365e31f63d2782d490cfc90777b
SHA512

023e5918ee363bce7f87d838018a6243c3be57512315f7359cb9838c3d01aea623bf56d0a0acdbe71dd9a587f4035d61f631fdef37fd2988c58e8d1171af2353
SSDEEP

6144:M2LEjyH8jI2GaegV8Xx70IBB7MdNa/whottJrVUGhBKdgMydR6:MPWcj11egV8Xt0yMm/wKJrVU4Kd/QR6

Score

10^/10

darkcomet z0mby evasion persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Z0mbY

C2

skekrlld66.zapto.org:1604

Mutex

DC_MUTEX-B3U22NR

Attributes

InstallPath
Microsoft\jusched.exe
gencode
fFyWeV9CgCDw
install
true
offline_keylogger
true
password
pankad12
persistence
true
reg_key
jusched

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\jusched.exe"	06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exe

Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

3992 attrib.exe
4608 attrib.exe

pid	process
3992	attrib.exe
4608	attrib.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation	06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exe

Deletes itself 1 IoCs

Processes:

notepad.exe

pid process

5104 notepad.exe
Executes dropped EXE 2 IoCs

Processes:

jusched.exejusched.exe

pid process

5040 jusched.exe
1964 jusched.exe

pid	process
5104	notepad.exe

pid	process
5040	jusched.exe
1964	jusched.exe

UPX packed file 31 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/1980-0-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral2/memory/2616-3-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/2616-4-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/2616-8-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/2616-7-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/1980-9-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral2/memory/2616-6-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/2616-10-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
C:\Users\Admin\AppData\Roaming\Microsoft\jusched.exe	upx
behavioral2/memory/2616-72-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/1964-80-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/1964-81-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/5040-83-0x0000000000400000-0x000000000047B000-memory.dmp	upx
behavioral2/memory/1964-85-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/1964-84-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/1964-87-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/1964-88-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/1964-89-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/1964-90-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/1964-91-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/1964-92-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/1964-93-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/1964-94-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/1964-95-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/1964-96-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/1964-97-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/1964-98-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/1964-99-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/1964-100-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/1964-101-0x0000000000400000-0x00000000004BA000-memory.dmp	upx
behavioral2/memory/1964-102-0x0000000000400000-0x00000000004BA000-memory.dmp	upx

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exejusched.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jusched = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\jusched.exe"	06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\jusched = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\jusched.exe"	jusched.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exejusched.exe

description	pid	process	target process
PID 1980 set thread context of 2616	1980	06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exe	06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exe
PID 5040 set thread context of 1964	5040	jusched.exe	jusched.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Modifies registry class 1 IoCs

Processes:

06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

jusched.exe

pid process

1964 jusched.exe

pid	process
1964	jusched.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exejusched.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	2616	06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exe
Token: SeSecurityPrivilege	2616	06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2616	06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2616	06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	2616	06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2616	06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	2616	06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2616	06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	2616	06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exe
Token: SeBackupPrivilege	2616	06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exe
Token: SeRestorePrivilege	2616	06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exe
Token: SeShutdownPrivilege	2616	06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exe
Token: SeDebugPrivilege	2616	06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	2616	06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	2616	06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	2616	06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exe
Token: SeUndockPrivilege	2616	06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exe
Token: SeManageVolumePrivilege	2616	06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exe
Token: SeImpersonatePrivilege	2616	06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	2616	06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exe
Token: 33	2616	06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exe
Token: 34	2616	06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exe
Token: 35	2616	06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exe
Token: 36	2616	06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	1964	jusched.exe
Token: SeSecurityPrivilege	1964	jusched.exe
Token: SeTakeOwnershipPrivilege	1964	jusched.exe
Token: SeLoadDriverPrivilege	1964	jusched.exe
Token: SeSystemProfilePrivilege	1964	jusched.exe
Token: SeSystemtimePrivilege	1964	jusched.exe
Token: SeProfSingleProcessPrivilege	1964	jusched.exe
Token: SeIncBasePriorityPrivilege	1964	jusched.exe
Token: SeCreatePagefilePrivilege	1964	jusched.exe
Token: SeBackupPrivilege	1964	jusched.exe
Token: SeRestorePrivilege	1964	jusched.exe
Token: SeShutdownPrivilege	1964	jusched.exe
Token: SeDebugPrivilege	1964	jusched.exe
Token: SeSystemEnvironmentPrivilege	1964	jusched.exe
Token: SeChangeNotifyPrivilege	1964	jusched.exe
Token: SeRemoteShutdownPrivilege	1964	jusched.exe
Token: SeUndockPrivilege	1964	jusched.exe
Token: SeManageVolumePrivilege	1964	jusched.exe
Token: SeImpersonatePrivilege	1964	jusched.exe
Token: SeCreateGlobalPrivilege	1964	jusched.exe
Token: 33	1964	jusched.exe
Token: 34	1964	jusched.exe
Token: 35	1964	jusched.exe
Token: 36	1964	jusched.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exejusched.exejusched.exe

pid process

1980 06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exe
5040 jusched.exe
1964 jusched.exe

pid	process
1980	06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exe
5040	jusched.exe
1964	jusched.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exe06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.execmd.execmd.exejusched.exejusched.exe

description	pid	process	target process
PID 1980 wrote to memory of 2616	1980	06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exe	06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exe
PID 1980 wrote to memory of 2616	1980	06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exe	06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exe
PID 1980 wrote to memory of 2616	1980	06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exe	06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exe
PID 1980 wrote to memory of 2616	1980	06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exe	06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exe
PID 1980 wrote to memory of 2616	1980	06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exe	06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exe
PID 1980 wrote to memory of 2616	1980	06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exe	06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exe
PID 1980 wrote to memory of 2616	1980	06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exe	06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exe
PID 1980 wrote to memory of 2616	1980	06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exe	06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exe
PID 2616 wrote to memory of 2156	2616	06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exe	cmd.exe
PID 2616 wrote to memory of 2156	2616	06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exe	cmd.exe
PID 2616 wrote to memory of 2156	2616	06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exe	cmd.exe
PID 2616 wrote to memory of 1496	2616	06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exe	cmd.exe
PID 2616 wrote to memory of 1496	2616	06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exe	cmd.exe
PID 2616 wrote to memory of 1496	2616	06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exe	cmd.exe
PID 2616 wrote to memory of 5104	2616	06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exe	notepad.exe
PID 2616 wrote to memory of 5104	2616	06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exe	notepad.exe
PID 2616 wrote to memory of 5104	2616	06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exe	notepad.exe
PID 2616 wrote to memory of 5104	2616	06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exe	notepad.exe
PID 2616 wrote to memory of 5104	2616	06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exe	notepad.exe
PID 2616 wrote to memory of 5104	2616	06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exe	notepad.exe
PID 2616 wrote to memory of 5104	2616	06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exe	notepad.exe
PID 2616 wrote to memory of 5104	2616	06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exe	notepad.exe
PID 2616 wrote to memory of 5104	2616	06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exe	notepad.exe
PID 2616 wrote to memory of 5104	2616	06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exe	notepad.exe
PID 2616 wrote to memory of 5104	2616	06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exe	notepad.exe
PID 2616 wrote to memory of 5104	2616	06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exe	notepad.exe
PID 2616 wrote to memory of 5104	2616	06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exe	notepad.exe
PID 2616 wrote to memory of 5104	2616	06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exe	notepad.exe
PID 2616 wrote to memory of 5104	2616	06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exe	notepad.exe
PID 2616 wrote to memory of 5104	2616	06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exe	notepad.exe
PID 2616 wrote to memory of 5104	2616	06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exe	notepad.exe
PID 2156 wrote to memory of 3992	2156	cmd.exe	attrib.exe
PID 2156 wrote to memory of 3992	2156	cmd.exe	attrib.exe
PID 2156 wrote to memory of 3992	2156	cmd.exe	attrib.exe
PID 1496 wrote to memory of 4608	1496	cmd.exe	attrib.exe
PID 1496 wrote to memory of 4608	1496	cmd.exe	attrib.exe
PID 1496 wrote to memory of 4608	1496	cmd.exe	attrib.exe
PID 2616 wrote to memory of 5040	2616	06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exe	jusched.exe
PID 2616 wrote to memory of 5040	2616	06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exe	jusched.exe
PID 2616 wrote to memory of 5040	2616	06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exe	jusched.exe
PID 5040 wrote to memory of 1964	5040	jusched.exe	jusched.exe
PID 5040 wrote to memory of 1964	5040	jusched.exe	jusched.exe
PID 5040 wrote to memory of 1964	5040	jusched.exe	jusched.exe
PID 5040 wrote to memory of 1964	5040	jusched.exe	jusched.exe
PID 5040 wrote to memory of 1964	5040	jusched.exe	jusched.exe
PID 5040 wrote to memory of 1964	5040	jusched.exe	jusched.exe
PID 5040 wrote to memory of 1964	5040	jusched.exe	jusched.exe
PID 5040 wrote to memory of 1964	5040	jusched.exe	jusched.exe
PID 1964 wrote to memory of 3972	1964	jusched.exe	notepad.exe
PID 1964 wrote to memory of 3972	1964	jusched.exe	notepad.exe
PID 1964 wrote to memory of 3972	1964	jusched.exe	notepad.exe
PID 1964 wrote to memory of 3972	1964	jusched.exe	notepad.exe
PID 1964 wrote to memory of 3972	1964	jusched.exe	notepad.exe
PID 1964 wrote to memory of 3972	1964	jusched.exe	notepad.exe
PID 1964 wrote to memory of 3972	1964	jusched.exe	notepad.exe
PID 1964 wrote to memory of 3972	1964	jusched.exe	notepad.exe
PID 1964 wrote to memory of 3972	1964	jusched.exe	notepad.exe
PID 1964 wrote to memory of 3972	1964	jusched.exe	notepad.exe
PID 1964 wrote to memory of 3972	1964	jusched.exe	notepad.exe
PID 1964 wrote to memory of 3972	1964	jusched.exe	notepad.exe
PID 1964 wrote to memory of 3972	1964	jusched.exe	notepad.exe
PID 1964 wrote to memory of 3972	1964	jusched.exe	notepad.exe
PID 1964 wrote to memory of 3972	1964	jusched.exe	notepad.exe
PID 1964 wrote to memory of 3972	1964	jusched.exe	notepad.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

3992 attrib.exe
4608 attrib.exe

pid	process
3992	attrib.exe
4608	attrib.exe

C:\Users\Admin\AppData\Local\Temp\06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1980

C:\Users\Admin\AppData\Local\Temp\06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exe"
2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2616

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exe" +s +h
3⤵
- Suspicious use of WriteProcessMemory
PID:2156

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\06cfe3577f5346a9ddcbf8ad52ea9683_JaffaCakes118.exe" +s +h
4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:3992

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
3⤵
- Suspicious use of WriteProcessMemory
PID:1496

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4608

C:\Windows\SysWOW64\notepad.exe
notepad
3⤵
- Deletes itself
PID:5104

C:\Users\Admin\AppData\Roaming\Microsoft\jusched.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\jusched.exe"
3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5040

C:\Users\Admin\AppData\Roaming\Microsoft\jusched.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\jusched.exe"
4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1964

C:\Windows\SysWOW64\notepad.exe
notepad
5⤵
PID:3972

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

2

T1547

Registry Run Keys / Startup Folder

1

T1547.001

Winlogon Helper DLL

1

T1547.004

Defense Evasion

Modify Registry

2

T1112

Hide Artifacts

2

T1564

Hidden Files and Directories

2

T1564.001

Credential Access

Discovery

Query Registry

1

T1012

System Information Discovery

2

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\jusched.exe
Filesize
333KB

MD5
06cfe3577f5346a9ddcbf8ad52ea9683

SHA1
2c303ac725fe2573839d20ac2b6802e4a0e67ca6

SHA256
ebb8382d407d4209132f5a7578fb823e3aceb365e31f63d2782d490cfc90777b

SHA512
023e5918ee363bce7f87d838018a6243c3be57512315f7359cb9838c3d01aea623bf56d0a0acdbe71dd9a587f4035d61f631fdef37fd2988c58e8d1171af2353

Download Submit
memory/1964-94-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1964-93-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1964-84-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1964-101-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1964-87-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1964-99-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1964-98-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1964-97-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1964-96-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1964-95-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1964-80-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1964-81-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1964-92-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1964-85-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1964-102-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1964-100-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1964-91-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1964-88-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1964-89-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1964-90-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1980-0-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/1980-9-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/2616-10-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2616-4-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2616-72-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2616-3-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2616-6-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2616-7-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2616-8-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/3972-86-0x0000000000A90000-0x0000000000A91000-memory.dmp

Filesize
4KB

Download
memory/5040-83-0x0000000000400000-0x000000000047B000-memory.dmp

Filesize
492KB

Download
memory/5104-14-0x0000000001290000-0x0000000001291000-memory.dmp

Filesize
4KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads