Malware Analysis Report

2024-10-23 20:33

Sample ID 240627-z9jenstgnq
Target 17952d6d362fb10f6feba49016730c98_JaffaCakes118
SHA256 838f0dfabc78e448aa17c69ad07715f89532ff8deb4081e4952179aafc4a44e2
Tags
darkcomet evasion rat trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

838f0dfabc78e448aa17c69ad07715f89532ff8deb4081e4952179aafc4a44e2

Threat Level: Known bad

The file 17952d6d362fb10f6feba49016730c98_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

darkcomet evasion rat trojan upx

Darkcomet family

Darkcomet

Sets file to hidden

UPX packed file

Checks computer location settings

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Views/modifies file attributes

Suspicious use of SetWindowsHookEx

Suspicious behavior: GetForegroundWindowSpam

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-27 21:24

Signatures

Darkcomet family

darkcomet

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-27 21:24

Reported

2024-06-27 21:27

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

146s

Command Line

"C:\Users\Admin\AppData\Local\Temp\17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe"

Signatures

Darkcomet

trojan rat darkcomet

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4124900551-4068476067-3491212533-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2084 set thread context of 1668 N/A C:\Users\Admin\AppData\Local\Temp\17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Token: SeSystemtimePrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Token: SeBackupPrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Token: SeUndockPrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Token: SeManageVolumePrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Token: SeImpersonatePrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Token: 33 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Token: 34 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Token: 35 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Token: 36 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2084 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2084 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2084 wrote to memory of 2824 N/A C:\Users\Admin\AppData\Local\Temp\17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2084 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2084 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2084 wrote to memory of 1824 N/A C:\Users\Admin\AppData\Local\Temp\17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2084 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2084 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2084 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2084 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2084 wrote to memory of 1668 N/A C:\Users\Admin\AppData\Local\Temp\17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2824 wrote to memory of 3884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2824 wrote to memory of 3884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2824 wrote to memory of 3884 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1824 wrote to memory of 3380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1824 wrote to memory of 3380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 1824 wrote to memory of 3380 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "

C:\Windows\SysWOW64\cmd.exe

C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Users\Admin\AppData\Local\Temp" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Users\Admin\AppData\Local\Temp" +s +h

Network

Country Destination Domain Proto
US 8.8.8.8:53 hackattack777.no-ip.org udp
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 80.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 hackattack777.no-ip.org udp
US 8.8.8.8:53 hackattack777.no-ip.org udp
US 8.8.8.8:53 hackattack777.no-ip.org udp
US 8.8.8.8:53 228.249.119.40.in-addr.arpa udp
US 8.8.8.8:53 hackattack777.no-ip.org udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 hackattack777.no-ip.org udp
US 8.8.8.8:53 hackattack777.no-ip.org udp
US 8.8.8.8:53 86.23.85.13.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 hackattack777.no-ip.org udp
US 8.8.8.8:53 240.221.184.93.in-addr.arpa udp
US 8.8.8.8:53 hackattack777.no-ip.org udp
US 8.8.8.8:53 hackattack777.no-ip.org udp
US 8.8.8.8:53 hackattack777.no-ip.org udp
US 8.8.8.8:53 hackattack777.no-ip.org udp
US 8.8.8.8:53 hackattack777.no-ip.org udp
US 8.8.8.8:53 82.90.14.23.in-addr.arpa udp
US 8.8.8.8:53 hackattack777.no-ip.org udp
US 8.8.8.8:53 hackattack777.no-ip.org udp
US 8.8.8.8:53 hackattack777.no-ip.org udp
US 8.8.8.8:53 hackattack777.no-ip.org udp
US 8.8.8.8:53 hackattack777.no-ip.org udp
US 8.8.8.8:53 hackattack777.no-ip.org udp
US 8.8.8.8:53 22.236.111.52.in-addr.arpa udp
US 8.8.8.8:53 hackattack777.no-ip.org udp
US 8.8.8.8:53 hackattack777.no-ip.org udp
US 8.8.8.8:53 hackattack777.no-ip.org udp
US 8.8.8.8:53 hackattack777.no-ip.org udp
US 8.8.8.8:53 hackattack777.no-ip.org udp
US 8.8.8.8:53 hackattack777.no-ip.org udp
US 8.8.8.8:53 hackattack777.no-ip.org udp
US 8.8.8.8:53 hackattack777.no-ip.org udp
US 8.8.8.8:53 hackattack777.no-ip.org udp
US 8.8.8.8:53 hackattack777.no-ip.org udp
US 8.8.8.8:53 hackattack777.no-ip.org udp

Files

memory/2084-0-0x0000000000400000-0x00000000004C9000-memory.dmp

memory/2084-1-0x00000000023D0000-0x00000000023D1000-memory.dmp

memory/1668-9-0x0000000000400000-0x00000000004C9000-memory.dmp

memory/2084-10-0x0000000000400000-0x00000000004C9000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat

MD5 b774ae3fb1da087e1f83b4f7b2060e5a
SHA1 97eb9be49ac3af9c851c9e1e84e32bfd53e325a8
SHA256 adaf4a84b41e410b02e261cfd0fe7739d98647eab73c3badd32ac6e39f26351b
SHA512 f75d0f95f7306d26a12b414bfe37b97fbd37546cb3c6e403def7077329ddffb4b45d5c5f0ba0e7bb6d72851d2d691b0a85267beead42f7cbf2e8c3d45a3b4701

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-27 21:24

Reported

2024-06-27 21:27

Platform

win7-20240508-en

Max time kernel

140s

Max time network

119s

Command Line

"C:\Users\Admin\AppData\Local\Temp\17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe"

Signatures

Darkcomet

trojan rat darkcomet

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2972 set thread context of 2704 N/A C:\Users\Admin\AppData\Local\Temp\17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe

Enumerates physical storage devices

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Token: SeSecurityPrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Token: SeSystemtimePrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Token: SeBackupPrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Token: SeRestorePrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Token: SeShutdownPrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Token: SeDebugPrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Token: SeUndockPrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Token: SeManageVolumePrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Token: SeImpersonatePrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Token: 33 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Token: 34 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A
Token: 35 N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Program Files (x86)\Internet Explorer\iexplore.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2972 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 2796 N/A C:\Users\Admin\AppData\Local\Temp\17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 2660 N/A C:\Users\Admin\AppData\Local\Temp\17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 2972 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2972 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2972 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2972 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2972 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2972 wrote to memory of 2704 N/A C:\Users\Admin\AppData\Local\Temp\17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe C:\Program Files (x86)\Internet Explorer\iexplore.exe
PID 2660 wrote to memory of 2664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2660 wrote to memory of 2664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2660 wrote to memory of 2664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2660 wrote to memory of 2664 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2796 wrote to memory of 2928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2796 wrote to memory of 2928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2796 wrote to memory of 2928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2796 wrote to memory of 2928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\17952d6d362fb10f6feba49016730c98_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "

C:\Windows\SysWOW64\cmd.exe

cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "

C:\Program Files (x86)\Internet Explorer\iexplore.exe

"C:\Program Files (x86)\Internet Explorer\iexplore.exe"

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Users\Admin\AppData\Local\Temp" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Users\Admin\AppData\Local\Temp" +s +h

Network

Country Destination Domain Proto
US 8.8.8.8:53 hackattack777.no-ip.org udp

Files

memory/2972-0-0x0000000000400000-0x00000000004C9000-memory.dmp

memory/2972-1-0x0000000000260000-0x0000000000261000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat

MD5 dbff1287eec172111832ecaac475fc98
SHA1 e8f43497ddf34a7d0f23d49e5699661bb8f05d5e
SHA256 8c2e45a0bf8926a91a493c387075f515f20c5e71b28da9338c6fab0b13334018
SHA512 06ccfc09b0bdcd25c2c45913ed24e816b47dfb1ceac13f14a7df354fda0d526c05ad0f6fbc95bc4ae78bebb9ad026adbced1c97b370b4f4bfa5bf9034afb5989

C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat

MD5 b774ae3fb1da087e1f83b4f7b2060e5a
SHA1 97eb9be49ac3af9c851c9e1e84e32bfd53e325a8
SHA256 adaf4a84b41e410b02e261cfd0fe7739d98647eab73c3badd32ac6e39f26351b
SHA512 f75d0f95f7306d26a12b414bfe37b97fbd37546cb3c6e403def7077329ddffb4b45d5c5f0ba0e7bb6d72851d2d691b0a85267beead42f7cbf2e8c3d45a3b4701

memory/2704-19-0x0000000000400000-0x00000000004C9000-memory.dmp

memory/2972-20-0x0000000000400000-0x00000000004C9000-memory.dmp