Analysis Overview
SHA256
e4c9e8116827030fee7a80a2d2fbbadb2f0b0fc353dbe8833e57f7852ea86810
Threat Level: Known bad
The file 085a4a5430ccb482aaf5e1f428b2e035_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Modifies WinLogon for persistence
Windows security bypass
Modifies security service
Modifies firewall policy service
Darkcomet
Sets file to hidden
Checks computer location settings
Executes dropped EXE
Loads dropped DLL
Windows security modification
Adds Run key to start application
Suspicious use of SetThreadContext
Unsigned PE
Enumerates physical storage devices
System policy modification
Views/modifies file attributes
Checks processor information in registry
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
Suspicious behavior: GetForegroundWindowSpam
Enumerates system info in registry
Suspicious use of WriteProcessMemory
MITRE ATT&CK Matrix V13
Analysis: static1
Detonation Overview
Reported
2024-06-20 17:48
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-20 17:48
Reported
2024-06-20 17:51
Platform
win7-20240419-en
Max time kernel
131s
Max time network
120s
Command Line
Signatures
Darkcomet
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\MSDCSC\\msdcsc.exe" | C:\Users\Admin\AppData\Roaming\Microsoft\service.exe | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\MSDCSC\msdcsc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" | C:\MSDCSC\msdcsc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" | C:\MSDCSC\msdcsc.exe | N/A |
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" | C:\MSDCSC\msdcsc.exe | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\MSDCSC\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\MSDCSC\msdcsc.exe | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\service.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\service.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\service.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SERVICES.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WINDOWSLOGIN.EXE | N/A |
| N/A | N/A | C:\MSDCSC\msdcsc.exe | N/A |
| N/A | N/A | C:\MSDCSC\msdcsc.exe | N/A |
| N/A | N/A | C:\MSDCSC\msdcsc.exe | N/A |
Loads dropped DLL
Windows security modification
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\MSDCSC\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\MSDCSC\msdcsc.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\MSDCSC\\msdcsc.exe" | C:\Users\Admin\AppData\Roaming\Microsoft\service.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\MSDCSC\\msdcsc.exe" | C:\MSDCSC\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2764 set thread context of 2700 | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\service.exe | C:\Users\Admin\AppData\Roaming\Microsoft\service.exe |
| PID 2700 set thread context of 2844 | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\service.exe | C:\Users\Admin\AppData\Roaming\Microsoft\service.exe |
| PID 1376 set thread context of 2016 | N/A | C:\MSDCSC\msdcsc.exe | C:\MSDCSC\msdcsc.exe |
| PID 2016 set thread context of 2116 | N/A | C:\MSDCSC\msdcsc.exe | C:\MSDCSC\msdcsc.exe |
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\MSDCSC\msdcsc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\service.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\service.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\service.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\service.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\service.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\service.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\service.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\service.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\service.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\service.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\service.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\service.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\service.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\service.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\service.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\service.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\service.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\service.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\service.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\service.exe | N/A |
| Token: 33 | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\service.exe | N/A |
| Token: 34 | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\service.exe | N/A |
| Token: 35 | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\service.exe | N/A |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\MSDCSC\msdcsc.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\MSDCSC\msdcsc.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\MSDCSC\msdcsc.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\MSDCSC\msdcsc.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\MSDCSC\msdcsc.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\MSDCSC\msdcsc.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\MSDCSC\msdcsc.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\MSDCSC\msdcsc.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\MSDCSC\msdcsc.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\MSDCSC\msdcsc.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\MSDCSC\msdcsc.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\MSDCSC\msdcsc.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\MSDCSC\msdcsc.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\MSDCSC\msdcsc.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\MSDCSC\msdcsc.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\MSDCSC\msdcsc.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\MSDCSC\msdcsc.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\MSDCSC\msdcsc.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\MSDCSC\msdcsc.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\MSDCSC\msdcsc.exe | N/A |
| Token: 33 | N/A | C:\MSDCSC\msdcsc.exe | N/A |
| Token: 34 | N/A | C:\MSDCSC\msdcsc.exe | N/A |
| Token: 35 | N/A | C:\MSDCSC\msdcsc.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\085a4a5430ccb482aaf5e1f428b2e035_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\service.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\service.exe | N/A |
| N/A | N/A | C:\MSDCSC\msdcsc.exe | N/A |
| N/A | N/A | C:\MSDCSC\msdcsc.exe | N/A |
| N/A | N/A | C:\MSDCSC\msdcsc.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion | C:\MSDCSC\msdcsc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern | C:\MSDCSC\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" | C:\MSDCSC\msdcsc.exe | N/A |
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\085a4a5430ccb482aaf5e1f428b2e035_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\085a4a5430ccb482aaf5e1f428b2e035_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\259399632.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Microsoft" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\service.exe" /f
C:\Users\Admin\AppData\Roaming\Microsoft\service.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\service.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\service.exe
C:\Users\Admin\AppData\Roaming\Microsoft\service.exe
C:\Users\Admin\AppData\Roaming\Microsoft\service.exe
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
C:\Users\Admin\AppData\Local\Temp\SERVICES.EXE
"C:\Users\Admin\AppData\Local\Temp\SERVICES.EXE"
C:\Users\Admin\AppData\Local\Temp\WINDOWSLOGIN.EXE
"C:\Users\Admin\AppData\Local\Temp\WINDOWSLOGIN.EXE"
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\Microsoft" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\Microsoft" +s +h
C:\MSDCSC\msdcsc.exe
"C:\MSDCSC\msdcsc.exe"
C:\MSDCSC\msdcsc.exe
C:\MSDCSC\msdcsc.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
dw20.exe -x -s 820
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
dw20.exe -x -s 828
C:\MSDCSC\msdcsc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | h0xmon.tk | udp |
| US | 8.8.8.8:53 | h0xmon.tk | udp |
| US | 8.8.8.8:53 | h0xmon.dyndns.org | udp |
Files
C:\Users\Admin\AppData\Local\Temp\259399632.bat
| MD5 | 7eee65b102f30fd1ead48a8cd3b99827 |
| SHA1 | 2f74a754019f280c6186c11531d460006814952e |
| SHA256 | 5748c60056db288b67e61148b339778816279e36907977f4fe03b5df04f6b57f |
| SHA512 | a06de9e35ada579a95b2ba399e4c65b074d642788d456e10e0ae967896ac729c552f715261d9dc8c17fffca8d6b9144a6155ff11ab8569a82bdbd9d26109bd85 |
\Users\Admin\AppData\Roaming\Microsoft\service.exe
| MD5 | d0a34581ffb8d6d99ef29b6e46e06ab8 |
| SHA1 | 5a169f12cf42262ffd62cc1bab213654d7a4dac6 |
| SHA256 | e59240de73344a6cb74551be43702ca23b8c0156ba8cbcb842118509360657f1 |
| SHA512 | 515068e21b1fbb018651e0e53394a5171d92d65eb3de4105efe067cb05f173d6e68d5b908c6684bcf5c53b1891a5752b4b4176044f63e805d7d0896e6c3fd941 |
memory/2700-39-0x0000000000400000-0x000000000040C000-memory.dmp
memory/2700-45-0x0000000000400000-0x000000000040C000-memory.dmp
memory/2844-46-0x0000000000400000-0x00000000004C6000-memory.dmp
memory/2844-50-0x0000000000400000-0x00000000004C6000-memory.dmp
memory/2844-48-0x0000000000400000-0x00000000004C6000-memory.dmp
memory/2844-62-0x0000000000400000-0x00000000004C6000-memory.dmp
memory/2700-63-0x0000000000400000-0x000000000040C000-memory.dmp
memory/2844-58-0x0000000000400000-0x00000000004C6000-memory.dmp
memory/2844-56-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2844-55-0x0000000000400000-0x00000000004C6000-memory.dmp
memory/2844-54-0x0000000000400000-0x00000000004C6000-memory.dmp
memory/2844-53-0x0000000000400000-0x00000000004C6000-memory.dmp
memory/2844-52-0x0000000000400000-0x00000000004C6000-memory.dmp
memory/2844-51-0x0000000000400000-0x00000000004C6000-memory.dmp
memory/2844-64-0x0000000000400000-0x00000000004C6000-memory.dmp
memory/2844-65-0x0000000000400000-0x00000000004C6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat
| MD5 | 983852d880a609ff25817b47f0c436f8 |
| SHA1 | 6603aa3e0cb33794344aaadfde3b1f561e1b8f49 |
| SHA256 | f1c5798294612fde0df50d42e530b2013aea877f49cce2aef78df42ce1e53203 |
| SHA512 | b5b2681c27258dd428f7c26bcb277ab2069fa3f82f1945d9879b50c3734ef738be5de5bdb37699fe9522bb138b554f49821e05529011c7c3166cb3cab6aa0b58 |
C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat
| MD5 | 960ff9f0fdcc7fe6180f159185b228dd |
| SHA1 | 562e42c0f4c5c1b30b086cd1c110645391bb9cb2 |
| SHA256 | 527513b95baf56c82cc823317b90be26f3d3f3ece8046152cdbb0e8092e7d44d |
| SHA512 | a3a4d87968efc28b2d736ebd2d9b818c2e7d58d2588124e05f71d82a1a9b0dd5ae8c145b5b8098089d480da93ad535a427d648f6230f6e2bacfda9056110dc62 |
\Users\Admin\AppData\Local\Temp\SERVICES.EXE
| MD5 | 0b3db22d987384297d6d3e37bbb42525 |
| SHA1 | 505682a108f0cf55caaeca6c781f4d49cc2d8edf |
| SHA256 | 883b8f25dec2a5f565c45363f81402969ce5b5e4d03fc565ccc2fd162916aa00 |
| SHA512 | b03cae2a2fcd46b0fde982214a11db50f6443d85efcf67b51ef60bb5a9fa3b0ad4b6b274c6175c634c7d343ee9253877d52712d1fee0e5b8843e1d3301273ae8 |
\Users\Admin\AppData\Local\Temp\WINDOWSLOGIN.EXE
| MD5 | d52e36ac4ab591f5cac32b433d2134fc |
| SHA1 | 868df7e02042482a37cae9c1b1b7cc25e63b7ab2 |
| SHA256 | 968266055dfa20300ee91a14f3344864b07cd1505054186f91946cccfcb96207 |
| SHA512 | c77c10dbcf58a86a384b413bb064df1af535af48744fe744d03cdfee16df1efa8275216b9cbe083294dac4cfd9e3445e7bb5e1f9051f462be484ae95ab622541 |
memory/2844-114-0x0000000000400000-0x00000000004C6000-memory.dmp
memory/2116-144-0x0000000000400000-0x00000000004C6000-memory.dmp
memory/2016-148-0x0000000000400000-0x000000000040C000-memory.dmp
memory/2116-147-0x0000000000400000-0x00000000004C6000-memory.dmp
memory/2116-146-0x0000000000400000-0x00000000004C6000-memory.dmp
memory/2116-145-0x0000000000400000-0x00000000004C6000-memory.dmp
memory/2116-143-0x0000000000400000-0x00000000004C6000-memory.dmp
memory/2116-142-0x0000000000400000-0x00000000004C6000-memory.dmp
memory/2116-150-0x0000000000400000-0x00000000004C6000-memory.dmp
memory/2116-151-0x0000000000400000-0x00000000004C6000-memory.dmp
memory/2116-152-0x0000000000400000-0x00000000004C6000-memory.dmp
memory/2116-153-0x0000000000400000-0x00000000004C6000-memory.dmp
memory/2116-154-0x0000000000400000-0x00000000004C6000-memory.dmp
memory/2116-155-0x0000000000400000-0x00000000004C6000-memory.dmp
memory/2116-156-0x0000000000400000-0x00000000004C6000-memory.dmp
memory/2116-157-0x0000000000400000-0x00000000004C6000-memory.dmp
memory/2116-158-0x0000000000400000-0x00000000004C6000-memory.dmp
memory/2116-159-0x0000000000400000-0x00000000004C6000-memory.dmp
memory/2116-160-0x0000000000400000-0x00000000004C6000-memory.dmp
memory/2116-161-0x0000000000400000-0x00000000004C6000-memory.dmp
memory/2116-162-0x0000000000400000-0x00000000004C6000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-20 17:48
Reported
2024-06-20 17:51
Platform
win10v2004-20240226-en
Max time kernel
147s
Max time network
156s
Command Line
Signatures
Darkcomet
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\MSDCSC\\msdcsc.exe" | C:\Users\Admin\AppData\Roaming\Microsoft\service.exe | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" | C:\MSDCSC\msdcsc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\MSDCSC\msdcsc.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" | C:\MSDCSC\msdcsc.exe | N/A |
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" | C:\MSDCSC\msdcsc.exe | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\MSDCSC\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\MSDCSC\msdcsc.exe | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\085a4a5430ccb482aaf5e1f428b2e035_JaffaCakes118.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Roaming\Microsoft\service.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\service.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\service.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\service.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\SERVICES.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\WINDOWSLOGIN.EXE | N/A |
| N/A | N/A | C:\MSDCSC\msdcsc.exe | N/A |
| N/A | N/A | C:\MSDCSC\msdcsc.exe | N/A |
| N/A | N/A | C:\MSDCSC\msdcsc.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\MSDCSC\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" | C:\MSDCSC\msdcsc.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\service.exe" | C:\Windows\SysWOW64\reg.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\MSDCSC\\msdcsc.exe" | C:\Users\Admin\AppData\Roaming\Microsoft\service.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\MSDCSC\\msdcsc.exe" | C:\MSDCSC\msdcsc.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 384 set thread context of 4864 | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\service.exe | C:\Users\Admin\AppData\Roaming\Microsoft\service.exe |
| PID 4864 set thread context of 1768 | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\service.exe | C:\Users\Admin\AppData\Roaming\Microsoft\service.exe |
| PID 2932 set thread context of 4132 | N/A | C:\MSDCSC\msdcsc.exe | C:\MSDCSC\msdcsc.exe |
| PID 4132 set thread context of 4508 | N/A | C:\MSDCSC\msdcsc.exe | C:\MSDCSC\msdcsc.exe |
Enumerates physical storage devices
Checks processor information in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\CentralProcessor\0 | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\~MHz | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe | N/A |
Enumerates system info in registry
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe | N/A |
| Key opened | \REGISTRY\MACHINE\Hardware\Description\System\BIOS | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe | N/A |
| Key value queried | \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\BIOS\SystemSKU | C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\MSDCSC\msdcsc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\085a4a5430ccb482aaf5e1f428b2e035_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\service.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Roaming\Microsoft\service.exe | N/A |
| N/A | N/A | C:\MSDCSC\msdcsc.exe | N/A |
| N/A | N/A | C:\MSDCSC\msdcsc.exe | N/A |
| N/A | N/A | C:\MSDCSC\msdcsc.exe | N/A |
Suspicious use of WriteProcessMemory
System policy modification
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion | C:\MSDCSC\msdcsc.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern | C:\MSDCSC\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" | C:\MSDCSC\msdcsc.exe | N/A |
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\085a4a5430ccb482aaf5e1f428b2e035_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\085a4a5430ccb482aaf5e1f428b2e035_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\240646406.bat" "
C:\Windows\SysWOW64\reg.exe
REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "Microsoft" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\Microsoft\service.exe" /f
C:\Users\Admin\AppData\Roaming\Microsoft\service.exe
"C:\Users\Admin\AppData\Roaming\Microsoft\service.exe"
C:\Users\Admin\AppData\Roaming\Microsoft\service.exe
C:\Users\Admin\AppData\Roaming\Microsoft\service.exe
C:\Users\Admin\AppData\Roaming\Microsoft\service.exe
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
C:\Users\Admin\AppData\Local\Temp\SERVICES.EXE
"C:\Users\Admin\AppData\Local\Temp\SERVICES.EXE"
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\Microsoft" +s +h
C:\Users\Admin\AppData\Local\Temp\WINDOWSLOGIN.EXE
"C:\Users\Admin\AppData\Local\Temp\WINDOWSLOGIN.EXE"
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Roaming\Microsoft" +s +h
C:\MSDCSC\msdcsc.exe
"C:\MSDCSC\msdcsc.exe"
C:\MSDCSC\msdcsc.exe
C:\MSDCSC\msdcsc.exe
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
dw20.exe -x -s 1448
C:\Windows\Microsoft.NET\Framework64\v2.0.50727\dw20.exe
dw20.exe -x -s 1432
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4000 --field-trial-handle=1928,i,13242902252791919845,10377620236057253993,262144 --variations-seed-version /prefetch:8
C:\MSDCSC\msdcsc.exe
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 76.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 183.59.114.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 18.31.95.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.15.31.184.in-addr.arpa | udp |
| US | 8.8.8.8:53 | h0xmon.tk | udp |
| US | 8.8.8.8:53 | h0xmon.dyndns.org | udp |
| US | 8.8.8.8:53 | h0xmon.dyndns.org | udp |
| US | 8.8.8.8:53 | h0xmon.dyndns.org | udp |
| US | 8.8.8.8:53 | h0xmon.dyndns.org | udp |
| US | 8.8.8.8:53 | 83.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | h0xmon.dyndns.org | udp |
| US | 8.8.8.8:53 | h0xmon.dyndns.org | udp |
| US | 8.8.8.8:53 | h0xmon.dyndns.org | udp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | h0xmon.dyndns.org | udp |
| US | 8.8.8.8:53 | h0xmon.dyndns.org | udp |
| US | 8.8.8.8:53 | h0xmon.dyndns.org | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 142.250.180.10:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | h0xmon.dyndns.org | udp |
| US | 8.8.8.8:53 | 10.180.250.142.in-addr.arpa | udp |
| US | 8.8.8.8:53 | h0xmon.dyndns.org | udp |
| US | 8.8.8.8:53 | h0xmon.dyndns.org | udp |
| US | 8.8.8.8:53 | h0xmon.dyndns.org | udp |
| US | 8.8.8.8:53 | h0xmon.dyndns.org | udp |
| US | 8.8.8.8:53 | h0xmon.dyndns.org | udp |
| US | 8.8.8.8:53 | h0xmon.dyndns.org | udp |
| US | 8.8.8.8:53 | h0xmon.dyndns.org | udp |
| US | 8.8.8.8:53 | h0xmon.dyndns.org | udp |
| US | 8.8.8.8:53 | h0xmon.dyndns.org | udp |
Files
C:\Users\Admin\AppData\Local\Temp\240646406.bat
| MD5 | 7eee65b102f30fd1ead48a8cd3b99827 |
| SHA1 | 2f74a754019f280c6186c11531d460006814952e |
| SHA256 | 5748c60056db288b67e61148b339778816279e36907977f4fe03b5df04f6b57f |
| SHA512 | a06de9e35ada579a95b2ba399e4c65b074d642788d456e10e0ae967896ac729c552f715261d9dc8c17fffca8d6b9144a6155ff11ab8569a82bdbd9d26109bd85 |
C:\Users\Admin\AppData\Roaming\Microsoft\service.exe
| MD5 | d0a34581ffb8d6d99ef29b6e46e06ab8 |
| SHA1 | 5a169f12cf42262ffd62cc1bab213654d7a4dac6 |
| SHA256 | e59240de73344a6cb74551be43702ca23b8c0156ba8cbcb842118509360657f1 |
| SHA512 | 515068e21b1fbb018651e0e53394a5171d92d65eb3de4105efe067cb05f173d6e68d5b908c6684bcf5c53b1891a5752b4b4176044f63e805d7d0896e6c3fd941 |
memory/4864-20-0x0000000000400000-0x000000000040C000-memory.dmp
memory/4864-24-0x0000000000400000-0x000000000040C000-memory.dmp
memory/4864-27-0x0000000000400000-0x000000000040C000-memory.dmp
memory/1768-30-0x0000000000400000-0x00000000004C6000-memory.dmp
memory/1768-28-0x0000000000400000-0x00000000004C6000-memory.dmp
memory/4864-31-0x0000000000400000-0x000000000040C000-memory.dmp
memory/1768-32-0x0000000000400000-0x00000000004C6000-memory.dmp
memory/1768-35-0x0000000000400000-0x00000000004C6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\SERVICES.EXE
| MD5 | 0b3db22d987384297d6d3e37bbb42525 |
| SHA1 | 505682a108f0cf55caaeca6c781f4d49cc2d8edf |
| SHA256 | 883b8f25dec2a5f565c45363f81402969ce5b5e4d03fc565ccc2fd162916aa00 |
| SHA512 | b03cae2a2fcd46b0fde982214a11db50f6443d85efcf67b51ef60bb5a9fa3b0ad4b6b274c6175c634c7d343ee9253877d52712d1fee0e5b8843e1d3301273ae8 |
C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat
| MD5 | 960ff9f0fdcc7fe6180f159185b228dd |
| SHA1 | 562e42c0f4c5c1b30b086cd1c110645391bb9cb2 |
| SHA256 | 527513b95baf56c82cc823317b90be26f3d3f3ece8046152cdbb0e8092e7d44d |
| SHA512 | a3a4d87968efc28b2d736ebd2d9b818c2e7d58d2588124e05f71d82a1a9b0dd5ae8c145b5b8098089d480da93ad535a427d648f6230f6e2bacfda9056110dc62 |
C:\Users\Admin\AppData\Local\Temp\WINDOWSLOGIN.EXE
| MD5 | d52e36ac4ab591f5cac32b433d2134fc |
| SHA1 | 868df7e02042482a37cae9c1b1b7cc25e63b7ab2 |
| SHA256 | 968266055dfa20300ee91a14f3344864b07cd1505054186f91946cccfcb96207 |
| SHA512 | c77c10dbcf58a86a384b413bb064df1af535af48744fe744d03cdfee16df1efa8275216b9cbe083294dac4cfd9e3445e7bb5e1f9051f462be484ae95ab622541 |
memory/1768-77-0x0000000000400000-0x00000000004C6000-memory.dmp
memory/224-82-0x000000001BEB0000-0x000000001BF56000-memory.dmp
memory/4132-85-0x0000000000400000-0x000000000040C000-memory.dmp
C:\ProgramData\Microsoft\Windows\WER\Temp\WER755B.tmp.xml
| MD5 | e2bb81451f849a0848a9d18574c9018c |
| SHA1 | 4b189fd237b4b42d7c93132b8fe63463958243be |
| SHA256 | bd0ea254b6e047137623cd19a511b686d2aeb0d2812494bf5b04ee42aab0fa89 |
| SHA512 | a598426adcf44ce1d29f22e5792c68c422ca6345f9b26ff375c1e08cbc6787ea6074e283f7ed1f600945cfb22c58910e9c333ecd96901d3f65498941ede29dee |
memory/4132-100-0x0000000000400000-0x000000000040C000-memory.dmp
memory/4508-103-0x0000000000400000-0x00000000004C6000-memory.dmp
memory/4508-105-0x0000000000400000-0x00000000004C6000-memory.dmp
memory/4132-106-0x0000000000400000-0x000000000040C000-memory.dmp
memory/4508-108-0x0000000000400000-0x00000000004C6000-memory.dmp
memory/4508-109-0x0000000000400000-0x00000000004C6000-memory.dmp
memory/4508-110-0x0000000000400000-0x00000000004C6000-memory.dmp
memory/4508-112-0x0000000000400000-0x00000000004C6000-memory.dmp
memory/4508-111-0x0000000000400000-0x00000000004C6000-memory.dmp
memory/4508-113-0x0000000000400000-0x00000000004C6000-memory.dmp
memory/4508-114-0x0000000000400000-0x00000000004C6000-memory.dmp
memory/4508-115-0x0000000000400000-0x00000000004C6000-memory.dmp
memory/4508-116-0x0000000000400000-0x00000000004C6000-memory.dmp
memory/4508-117-0x0000000000400000-0x00000000004C6000-memory.dmp
memory/4508-118-0x0000000000400000-0x00000000004C6000-memory.dmp
memory/4508-119-0x0000000000400000-0x00000000004C6000-memory.dmp
memory/4508-120-0x0000000000400000-0x00000000004C6000-memory.dmp
memory/4508-121-0x0000000000400000-0x00000000004C6000-memory.dmp