Malware Analysis Report

2024-10-23 20:38

Sample ID 240628-ag4sgasfrn
Target 181283c3e130b102c86e6ef049d0071a_JaffaCakes118
SHA256 93a3d616794bbc999144bf30e2189c84b8a2b89c3c27cc08151103062a37d259
Tags
darkcomet persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

93a3d616794bbc999144bf30e2189c84b8a2b89c3c27cc08151103062a37d259

Threat Level: Known bad

The file 181283c3e130b102c86e6ef049d0071a_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

darkcomet persistence rat trojan

Darkcomet

Modifies WinLogon for persistence

Executes dropped EXE

Checks BIOS information in registry

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

Enumerates physical storage devices

Unsigned PE

Modifies registry class

Suspicious use of WriteProcessMemory

Suspicious behavior: GetForegroundWindowSpam

Enumerates system info in registry

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

Checks processor information in registry

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-06-28 00:11

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-06-28 00:11

Reported

2024-06-28 00:14

Platform

win7-20240419-en

Max time kernel

150s

Max time network

120s

Command Line

"C:\Users\Admin\AppData\Local\Temp\181283c3e130b102c86e6ef049d0071a_JaffaCakes118.exe"

Signatures

Darkcomet

trojan rat darkcomet

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\Windupdate\\winupdate.exe" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\181283c3e130b102c86e6ef049d0071a_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\winupdate = "C:\\Users\\Admin\\AppData\\Roaming\\Windupdate\\winupdate.exe" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2372 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\181283c3e130b102c86e6ef049d0071a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe
PID 2372 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\181283c3e130b102c86e6ef049d0071a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe
PID 2372 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\181283c3e130b102c86e6ef049d0071a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe
PID 2372 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\181283c3e130b102c86e6ef049d0071a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe
PID 3028 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe
PID 3028 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe
PID 3028 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe
PID 3028 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe
PID 3028 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe
PID 3028 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe
PID 3028 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe
PID 3028 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe
PID 3028 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe
PID 3028 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe
PID 3028 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe
PID 3028 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe
PID 3028 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe
PID 3028 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe
PID 3028 wrote to memory of 2384 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe
PID 2372 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\181283c3e130b102c86e6ef049d0071a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UNTITL~1.EXE
PID 2372 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\181283c3e130b102c86e6ef049d0071a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UNTITL~1.EXE
PID 2372 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\181283c3e130b102c86e6ef049d0071a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UNTITL~1.EXE
PID 2372 wrote to memory of 2692 N/A C:\Users\Admin\AppData\Local\Temp\181283c3e130b102c86e6ef049d0071a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UNTITL~1.EXE
PID 2384 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe C:\Windows\SysWOW64\explorer.exe
PID 2384 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe C:\Windows\SysWOW64\explorer.exe
PID 2384 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe C:\Windows\SysWOW64\explorer.exe
PID 2384 wrote to memory of 2344 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe C:\Windows\SysWOW64\explorer.exe
PID 2384 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe
PID 2384 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe
PID 2384 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe
PID 2384 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe
PID 2384 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe
PID 2384 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe
PID 2384 wrote to memory of 1896 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe
PID 1896 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe
PID 1896 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe
PID 1896 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe
PID 1896 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe
PID 1896 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe
PID 1896 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe
PID 1896 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe
PID 1896 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe
PID 1896 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe
PID 1896 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe
PID 1896 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe
PID 1896 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe
PID 1896 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe
PID 1896 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe
PID 1896 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe
PID 1896 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe
PID 1896 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe
PID 1896 wrote to memory of 2396 N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe
PID 2396 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe C:\Windows\SysWOW64\explorer.exe
PID 2396 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe C:\Windows\SysWOW64\explorer.exe
PID 2396 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe C:\Windows\SysWOW64\explorer.exe
PID 2396 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe C:\Windows\SysWOW64\explorer.exe
PID 2396 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe C:\Windows\SysWOW64\explorer.exe
PID 2396 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe C:\Windows\SysWOW64\explorer.exe
PID 2396 wrote to memory of 2236 N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe C:\Windows\SysWOW64\explorer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\181283c3e130b102c86e6ef049d0071a_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\181283c3e130b102c86e6ef049d0071a_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UNTITL~1.EXE

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UNTITL~1.EXE

C:\Windows\SysWOW64\explorer.exe

"C:\Windows\SysWOW64\explorer.exe"

C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe

"C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe"

C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe

"C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe"

C:\Windows\SysWOW64\explorer.exe

"C:\Windows\SysWOW64\explorer.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 giviker.zapto.org udp

Files

\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe

MD5 4ab6e467a63140fb44bea280cea542fc
SHA1 9993678b64516307e17a76f0f2ac2694269da873
SHA256 429dd67ce05b487ef57a5e55158441ba3e914b8b6db2f7f0dac34a123e17a130
SHA512 f76b8fc5d6802db034719c59f791534dd83f062dc9044e4381aa3636b43aeaf52417951e765537c5e9ebd06d726d9499f93e1dae4a0eafd45b19738ec4e76556

memory/3028-11-0x0000000000020000-0x0000000000040000-memory.dmp

memory/3028-20-0x0000000076354000-0x0000000076355000-memory.dmp

memory/3028-21-0x0000000076340000-0x0000000076450000-memory.dmp

memory/3028-25-0x0000000000020000-0x0000000000040000-memory.dmp

memory/3028-30-0x0000000000020000-0x0000000000040000-memory.dmp

memory/3028-51-0x0000000000020000-0x0000000000040000-memory.dmp

memory/3028-50-0x0000000000020000-0x0000000000040000-memory.dmp

memory/3028-49-0x0000000000020000-0x0000000000040000-memory.dmp

memory/3028-48-0x0000000000020000-0x0000000000040000-memory.dmp

memory/3028-47-0x0000000000020000-0x0000000000040000-memory.dmp

memory/3028-46-0x0000000000020000-0x0000000000040000-memory.dmp

memory/3028-45-0x0000000000020000-0x0000000000040000-memory.dmp

memory/3028-44-0x0000000000020000-0x0000000000040000-memory.dmp

memory/3028-43-0x0000000000020000-0x0000000000040000-memory.dmp

memory/3028-42-0x0000000000020000-0x0000000000040000-memory.dmp

memory/3028-40-0x0000000000020000-0x0000000000040000-memory.dmp

memory/3028-39-0x0000000000020000-0x0000000000040000-memory.dmp

memory/3028-38-0x0000000000020000-0x0000000000040000-memory.dmp

memory/3028-37-0x0000000000020000-0x0000000000040000-memory.dmp

memory/3028-36-0x0000000000020000-0x0000000000040000-memory.dmp

memory/3028-35-0x0000000000020000-0x0000000000040000-memory.dmp

memory/3028-60-0x0000000076340000-0x0000000076450000-memory.dmp

memory/3028-34-0x0000000000020000-0x0000000000040000-memory.dmp

memory/3028-33-0x0000000000020000-0x0000000000040000-memory.dmp

memory/3028-63-0x0000000076340000-0x0000000076450000-memory.dmp

memory/3028-32-0x0000000000020000-0x0000000000040000-memory.dmp

memory/3028-67-0x0000000076340000-0x0000000076450000-memory.dmp

memory/3028-68-0x0000000076340000-0x0000000076450000-memory.dmp

memory/3028-70-0x0000000076340000-0x0000000076450000-memory.dmp

memory/3028-64-0x0000000076340000-0x0000000076450000-memory.dmp

memory/2384-74-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/2384-79-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/3028-78-0x0000000076340000-0x0000000076450000-memory.dmp

memory/2384-77-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/2384-80-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/3028-76-0x0000000076340000-0x0000000076450000-memory.dmp

memory/3028-31-0x0000000000020000-0x0000000000040000-memory.dmp

memory/3028-29-0x0000000000020000-0x0000000000040000-memory.dmp

memory/3028-28-0x0000000000020000-0x0000000000040000-memory.dmp

memory/3028-27-0x0000000000020000-0x0000000000040000-memory.dmp

memory/3028-26-0x0000000000020000-0x0000000000040000-memory.dmp

memory/3028-24-0x0000000000020000-0x0000000000040000-memory.dmp

memory/3028-23-0x0000000000020000-0x0000000000040000-memory.dmp

memory/3028-41-0x0000000000020000-0x0000000000040000-memory.dmp

memory/3028-22-0x0000000000020000-0x0000000000040000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UNTITL~1.EXE

MD5 f1e9169a3e85f072ee0d002b7d03a774
SHA1 8283fe30a23eb26b024f97aac94618b53664f8e2
SHA256 1ddab1b1b589f3bd4e272c2325cb2478d33feb6a6807b8a6c02260832ff2a67f
SHA512 84beac45f7b78575ac228fa62e7b4848f7efde79122acee513d9cda6e8b9b1219d5ec9a38c6050ef052195e83eb8d81b8d05200094692ad43a124f0a862f9179

memory/2384-83-0x0000000076340000-0x0000000076450000-memory.dmp

memory/2384-91-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/2692-92-0x0000000000400000-0x0000000000449000-memory.dmp

memory/2384-98-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/2384-103-0x0000000076340000-0x0000000076450000-memory.dmp

memory/1896-107-0x0000000000260000-0x0000000000280000-memory.dmp

memory/1896-116-0x0000000000260000-0x0000000000280000-memory.dmp

memory/1896-122-0x0000000000260000-0x0000000000280000-memory.dmp

memory/1896-133-0x0000000000260000-0x0000000000280000-memory.dmp

memory/1896-134-0x0000000000260000-0x0000000000280000-memory.dmp

memory/1896-132-0x0000000000260000-0x0000000000280000-memory.dmp

memory/1896-131-0x0000000000260000-0x0000000000280000-memory.dmp

memory/1896-130-0x0000000000260000-0x0000000000280000-memory.dmp

memory/1896-129-0x0000000000260000-0x0000000000280000-memory.dmp

memory/1896-128-0x0000000000260000-0x0000000000280000-memory.dmp

memory/1896-127-0x0000000000260000-0x0000000000280000-memory.dmp

memory/1896-126-0x0000000000260000-0x0000000000280000-memory.dmp

memory/1896-125-0x0000000000260000-0x0000000000280000-memory.dmp

memory/1896-124-0x0000000000260000-0x0000000000280000-memory.dmp

memory/1896-123-0x0000000000260000-0x0000000000280000-memory.dmp

memory/1896-121-0x0000000000260000-0x0000000000280000-memory.dmp

memory/1896-120-0x0000000000260000-0x0000000000280000-memory.dmp

memory/1896-119-0x0000000000260000-0x0000000000280000-memory.dmp

memory/1896-118-0x0000000000260000-0x0000000000280000-memory.dmp

memory/1896-117-0x0000000000260000-0x0000000000280000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-06-28 00:11

Reported

2024-06-28 00:14

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

150s

Command Line

"C:\Users\Admin\AppData\Local\Temp\181283c3e130b102c86e6ef049d0071a_JaffaCakes118.exe"

Signatures

Darkcomet

trojan rat darkcomet

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\Windupdate\\winupdate.exe" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe N/A

Checks BIOS information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\"" C:\Users\Admin\AppData\Local\Temp\181283c3e130b102c86e6ef049d0071a_JaffaCakes118.exe N/A
Set value (str) \REGISTRY\USER\S-1-5-21-2804150937-2146708401-419095071-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\winupdate = "C:\\Users\\Admin\\AppData\\Roaming\\Windupdate\\winupdate.exe" C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe N/A

Enumerates physical storage devices

Checks processor information in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\ProcessorNameString C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\Identifier C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0\VendorIdentifier C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe N/A
Key opened \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\CentralProcessor\0 C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe N/A

Enumerates system info in registry

Description Indicator Process Target
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe N/A
Key value queried \REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\Identifier C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe N/A

Suspicious behavior: GetForegroundWindowSpam

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 412 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\181283c3e130b102c86e6ef049d0071a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe
PID 412 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\181283c3e130b102c86e6ef049d0071a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe
PID 412 wrote to memory of 3532 N/A C:\Users\Admin\AppData\Local\Temp\181283c3e130b102c86e6ef049d0071a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe
PID 3532 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe
PID 3532 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe
PID 3532 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe
PID 3532 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe
PID 3532 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe
PID 3532 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe
PID 3532 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe
PID 3532 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe
PID 3532 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe
PID 3532 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe
PID 3532 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe
PID 3532 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe
PID 3532 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe
PID 3532 wrote to memory of 3440 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe
PID 412 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\181283c3e130b102c86e6ef049d0071a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UNTITL~1.EXE
PID 412 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\181283c3e130b102c86e6ef049d0071a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UNTITL~1.EXE
PID 412 wrote to memory of 3164 N/A C:\Users\Admin\AppData\Local\Temp\181283c3e130b102c86e6ef049d0071a_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UNTITL~1.EXE
PID 3440 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe C:\Windows\SysWOW64\explorer.exe
PID 3440 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe C:\Windows\SysWOW64\explorer.exe
PID 3440 wrote to memory of 2212 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe C:\Windows\SysWOW64\explorer.exe
PID 3440 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe
PID 3440 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe
PID 3440 wrote to memory of 3596 N/A C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe
PID 3596 wrote to memory of 548 N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe
PID 3596 wrote to memory of 548 N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe
PID 3596 wrote to memory of 548 N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe
PID 3596 wrote to memory of 548 N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe
PID 3596 wrote to memory of 548 N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe
PID 3596 wrote to memory of 548 N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe
PID 3596 wrote to memory of 548 N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe
PID 3596 wrote to memory of 548 N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe
PID 3596 wrote to memory of 548 N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe
PID 3596 wrote to memory of 548 N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe
PID 3596 wrote to memory of 548 N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe
PID 3596 wrote to memory of 548 N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe
PID 3596 wrote to memory of 548 N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe
PID 3596 wrote to memory of 548 N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe
PID 548 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe C:\Windows\SysWOW64\explorer.exe
PID 548 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe C:\Windows\SysWOW64\explorer.exe
PID 548 wrote to memory of 1264 N/A C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe C:\Windows\SysWOW64\explorer.exe

Processes

C:\Users\Admin\AppData\Local\Temp\181283c3e130b102c86e6ef049d0071a_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\181283c3e130b102c86e6ef049d0071a_JaffaCakes118.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe

"C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe"

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UNTITL~1.EXE

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UNTITL~1.EXE

C:\Windows\SysWOW64\explorer.exe

"C:\Windows\SysWOW64\explorer.exe"

C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe

"C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe"

C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe

"C:\Users\Admin\AppData\Roaming\Windupdate\winupdate.exe"

C:\Windows\SysWOW64\explorer.exe

"C:\Windows\SysWOW64\explorer.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 2.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 giviker.zapto.org udp
US 8.8.8.8:53 giviker.zapto.org udp
US 8.8.8.8:53 giviker.zapto.org udp
US 8.8.8.8:53 50.23.12.20.in-addr.arpa udp
US 8.8.8.8:53 15.164.165.52.in-addr.arpa udp
US 8.8.8.8:53 giviker.zapto.org udp
US 8.8.8.8:53 giviker.zapto.org udp
US 8.8.8.8:53 giviker.zapto.org udp
US 8.8.8.8:53 giviker.zapto.org udp
US 8.8.8.8:53 giviker.zapto.org udp
US 8.8.8.8:53 giviker.zapto.org udp
US 8.8.8.8:53 0.205.248.87.in-addr.arpa udp
US 8.8.8.8:53 giviker.zapto.org udp
US 8.8.8.8:53 giviker.zapto.org udp
US 8.8.8.8:53 giviker.zapto.org udp
US 8.8.8.8:53 giviker.zapto.org udp
US 8.8.8.8:53 giviker.zapto.org udp
US 8.8.8.8:53 giviker.zapto.org udp
US 8.8.8.8:53 giviker.zapto.org udp
US 8.8.8.8:53 giviker.zapto.org udp
US 8.8.8.8:53 giviker.zapto.org udp
US 8.8.8.8:53 giviker.zapto.org udp
US 8.8.8.8:53 giviker.zapto.org udp
US 8.8.8.8:53 giviker.zapto.org udp
US 8.8.8.8:53 giviker.zapto.org udp
US 8.8.8.8:53 giviker.zapto.org udp
US 8.8.8.8:53 giviker.zapto.org udp
US 8.8.8.8:53 giviker.zapto.org udp
US 8.8.8.8:53 giviker.zapto.org udp
US 8.8.8.8:53 225.162.46.104.in-addr.arpa udp
US 8.8.8.8:53 udp

Files

memory/3532-7-0x00000000001C0000-0x00000000001E0000-memory.dmp

memory/3532-22-0x0000000076160000-0x0000000076250000-memory.dmp

memory/3532-25-0x0000000076160000-0x0000000076250000-memory.dmp

memory/3532-24-0x0000000076160000-0x0000000076250000-memory.dmp

memory/3532-23-0x0000000076160000-0x0000000076250000-memory.dmp

memory/3532-21-0x0000000076160000-0x0000000076250000-memory.dmp

memory/3532-20-0x0000000076160000-0x0000000076250000-memory.dmp

memory/3532-19-0x0000000076160000-0x0000000076250000-memory.dmp

memory/3532-18-0x0000000076160000-0x0000000076250000-memory.dmp

memory/3532-17-0x0000000076160000-0x0000000076250000-memory.dmp

memory/3532-16-0x0000000076180000-0x0000000076181000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\winlogon.exe

MD5 4ab6e467a63140fb44bea280cea542fc
SHA1 9993678b64516307e17a76f0f2ac2694269da873
SHA256 429dd67ce05b487ef57a5e55158441ba3e914b8b6db2f7f0dac34a123e17a130
SHA512 f76b8fc5d6802db034719c59f791534dd83f062dc9044e4381aa3636b43aeaf52417951e765537c5e9ebd06d726d9499f93e1dae4a0eafd45b19738ec4e76556

memory/3532-31-0x00000000001C0000-0x00000000001E0000-memory.dmp

memory/3532-42-0x00000000001C0000-0x00000000001E0000-memory.dmp

memory/3532-54-0x00000000001C0000-0x00000000001E0000-memory.dmp

memory/3532-55-0x00000000001C0000-0x00000000001E0000-memory.dmp

memory/3532-51-0x00000000001C0000-0x00000000001E0000-memory.dmp

memory/3532-72-0x0000000076160000-0x0000000076250000-memory.dmp

memory/3532-78-0x0000000076160000-0x0000000076250000-memory.dmp

memory/3532-77-0x0000000076160000-0x0000000076250000-memory.dmp

memory/3532-76-0x0000000076160000-0x0000000076250000-memory.dmp

memory/3532-79-0x0000000076160000-0x0000000076250000-memory.dmp

memory/3532-75-0x0000000076160000-0x0000000076250000-memory.dmp

memory/3532-71-0x0000000076160000-0x0000000076250000-memory.dmp

memory/3532-70-0x0000000076160000-0x0000000076250000-memory.dmp

memory/3532-69-0x0000000076160000-0x0000000076250000-memory.dmp

memory/3532-68-0x0000000076160000-0x0000000076250000-memory.dmp

memory/3532-53-0x00000000001C0000-0x00000000001E0000-memory.dmp

memory/3532-52-0x00000000001C0000-0x00000000001E0000-memory.dmp

memory/3532-50-0x00000000001C0000-0x00000000001E0000-memory.dmp

memory/3532-49-0x00000000001C0000-0x00000000001E0000-memory.dmp

memory/3532-48-0x00000000001C0000-0x00000000001E0000-memory.dmp

memory/3532-47-0x00000000001C0000-0x00000000001E0000-memory.dmp

memory/3532-45-0x00000000001C0000-0x00000000001E0000-memory.dmp

memory/3532-44-0x00000000001C0000-0x00000000001E0000-memory.dmp

memory/3532-43-0x00000000001C0000-0x00000000001E0000-memory.dmp

memory/3532-41-0x00000000001C0000-0x00000000001E0000-memory.dmp

memory/3532-40-0x00000000001C0000-0x00000000001E0000-memory.dmp

memory/3532-39-0x00000000001C0000-0x00000000001E0000-memory.dmp

memory/3532-38-0x00000000001C0000-0x00000000001E0000-memory.dmp

memory/3532-37-0x00000000001C0000-0x00000000001E0000-memory.dmp

memory/3532-36-0x00000000001C0000-0x00000000001E0000-memory.dmp

memory/3532-35-0x00000000001C0000-0x00000000001E0000-memory.dmp

memory/3440-82-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/3440-80-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/3440-84-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/3532-33-0x00000000001C0000-0x00000000001E0000-memory.dmp

memory/3532-32-0x00000000001C0000-0x00000000001E0000-memory.dmp

memory/3532-46-0x00000000001C0000-0x00000000001E0000-memory.dmp

memory/3532-34-0x00000000001C0000-0x00000000001E0000-memory.dmp

memory/3532-85-0x0000000076160000-0x0000000076250000-memory.dmp

memory/3532-30-0x00000000001C0000-0x00000000001E0000-memory.dmp

memory/3532-29-0x00000000001C0000-0x00000000001E0000-memory.dmp

memory/3532-28-0x00000000001C0000-0x00000000001E0000-memory.dmp

memory/3532-27-0x00000000001C0000-0x00000000001E0000-memory.dmp

memory/3532-26-0x00000000001C0000-0x00000000001E0000-memory.dmp

memory/3440-87-0x0000000076160000-0x0000000076250000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\UNTITL~1.EXE

MD5 f1e9169a3e85f072ee0d002b7d03a774
SHA1 8283fe30a23eb26b024f97aac94618b53664f8e2
SHA256 1ddab1b1b589f3bd4e272c2325cb2478d33feb6a6807b8a6c02260832ff2a67f
SHA512 84beac45f7b78575ac228fa62e7b4848f7efde79122acee513d9cda6e8b9b1219d5ec9a38c6050ef052195e83eb8d81b8d05200094692ad43a124f0a862f9179

memory/3440-88-0x0000000076160000-0x0000000076250000-memory.dmp

memory/3440-86-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/3440-118-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/3164-126-0x0000000000400000-0x0000000000449000-memory.dmp

memory/3596-157-0x00000000001C0000-0x00000000001E0000-memory.dmp

memory/3440-167-0x0000000076160000-0x0000000076250000-memory.dmp

memory/3596-179-0x00000000001C0000-0x00000000001E0000-memory.dmp

memory/3596-186-0x00000000001C0000-0x00000000001E0000-memory.dmp

memory/3596-185-0x00000000001C0000-0x00000000001E0000-memory.dmp

memory/3596-184-0x00000000001C0000-0x00000000001E0000-memory.dmp

memory/3596-183-0x00000000001C0000-0x00000000001E0000-memory.dmp

memory/3596-182-0x00000000001C0000-0x00000000001E0000-memory.dmp

memory/3596-181-0x00000000001C0000-0x00000000001E0000-memory.dmp

memory/3596-180-0x00000000001C0000-0x00000000001E0000-memory.dmp

memory/3596-178-0x00000000001C0000-0x00000000001E0000-memory.dmp

memory/3596-177-0x00000000001C0000-0x00000000001E0000-memory.dmp

memory/3596-176-0x00000000001C0000-0x00000000001E0000-memory.dmp

memory/3596-175-0x00000000001C0000-0x00000000001E0000-memory.dmp

memory/3596-174-0x00000000001C0000-0x00000000001E0000-memory.dmp

memory/3596-173-0x00000000001C0000-0x00000000001E0000-memory.dmp

memory/3596-172-0x00000000001C0000-0x00000000001E0000-memory.dmp

memory/3596-171-0x00000000001C0000-0x00000000001E0000-memory.dmp

memory/3596-170-0x00000000001C0000-0x00000000001E0000-memory.dmp

memory/3596-169-0x00000000001C0000-0x00000000001E0000-memory.dmp

memory/3596-168-0x00000000001C0000-0x00000000001E0000-memory.dmp