Analysis Overview
SHA256
4b259a4d6a566836a4e511b7ca5d0bd5775360fd52eaf89b03035d4e602431c5
Threat Level: Known bad
The file 1816dd0f974fecd01a3aee390593de19_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Modifies firewall policy service
Darkcomet
Modifies WinLogon for persistence
Windows security bypass
Modifies security service
Sets file to hidden
Disables RegEdit via registry modification
Deletes itself
Loads dropped DLL
Checks computer location settings
Executes dropped EXE
Windows security modification
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in System32 directory
Unsigned PE
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
Views/modifies file attributes
Suspicious use of WriteProcessMemory
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-06-28 00:19
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-06-28 00:19
Reported
2024-06-28 00:21
Platform
win7-20240611-en
Max time kernel
151s
Max time network
122s
Command Line
Signatures
Darkcomet
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\Resimlerim\\Profiles\\chrome.exe" | C:\Users\Admin\AppData\Local\Temp\1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Users\Admin\Documents\Resimlerim\Profiles\chrome.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" | C:\Users\Admin\Documents\Resimlerim\Profiles\chrome.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" | C:\Users\Admin\Documents\Resimlerim\Profiles\chrome.exe | N/A |
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" | C:\Users\Admin\Documents\Resimlerim\Profiles\chrome.exe | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\Documents\Resimlerim\Profiles\chrome.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\Documents\Resimlerim\Profiles\chrome.exe | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\notepad.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Documents\Resimlerim\Profiles\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\Resimlerim\Profiles\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\Resimlerim\Profiles\chrome.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\Resimlerim\Profiles\chrome.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\Documents\Resimlerim\Profiles\chrome.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\GoogleUpdate = "C:\\Users\\Admin\\Documents\\Resimlerim\\Profiles\\chrome.exe" | C:\Users\Admin\AppData\Local\Temp\1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\GoogleUpdate = "C:\\Users\\Admin\\Documents\\Resimlerim\\Profiles\\chrome.exe" | C:\Users\Admin\Documents\Resimlerim\Profiles\chrome.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\0c0c0c0c.dll | C:\Users\Admin\AppData\Local\Temp\1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 840 set thread context of 2656 | N/A | C:\Users\Admin\AppData\Local\Temp\1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe |
| PID 2656 set thread context of 2612 | N/A | C:\Users\Admin\AppData\Local\Temp\1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe |
| PID 1940 set thread context of 1036 | N/A | C:\Users\Admin\Documents\Resimlerim\Profiles\chrome.exe | C:\Users\Admin\Documents\Resimlerim\Profiles\chrome.exe |
| PID 1036 set thread context of 2824 | N/A | C:\Users\Admin\Documents\Resimlerim\Profiles\chrome.exe | C:\Users\Admin\Documents\Resimlerim\Profiles\chrome.exe |
Enumerates physical storage devices
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Documents\Resimlerim\Profiles\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\Resimlerim\Profiles\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\Resimlerim\Profiles\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\Resimlerim\Profiles\chrome.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe" +s +h
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
C:\Users\Admin\Documents\Resimlerim\Profiles\chrome.exe
"C:\Users\Admin\Documents\Resimlerim\Profiles\chrome.exe"
C:\Users\Admin\Documents\Resimlerim\Profiles\chrome.exe
"C:\Users\Admin\Documents\Resimlerim\Profiles\chrome.exe"
C:\Users\Admin\Documents\Resimlerim\Profiles\chrome.exe
"C:\Users\Admin\Documents\Resimlerim\Profiles\chrome.exe"
C:\Windows\SysWOW64\notepad.exe
notepad
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | hepter.dyndns.biz | udp |
| US | 8.8.8.8:53 | hepter.no-ip.org | udp |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:8211 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:8211 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:8211 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:8211 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:8211 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:8211 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:8211 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:8211 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:8211 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:8211 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:8211 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:8211 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:8211 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:8211 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:8211 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:8211 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:8211 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:8211 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:8211 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:8211 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:8211 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:8211 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:8211 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:8211 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:8211 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:8211 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:8211 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:8211 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:8211 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:8211 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:8211 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:8211 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:8211 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:8211 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:8211 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:8211 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:8211 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:8211 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:8211 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:8211 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:8211 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:8211 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:8211 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:8211 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:8211 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:8211 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:8211 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:8211 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:8211 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| N/A | 127.0.0.1:8211 | tcp | |
| N/A | 127.0.0.1:1604 | tcp |
Files
\Windows\SysWOW64\0c0c0c0c.dll
| MD5 | df5c622697dc8c743f3884914a9e4d99 |
| SHA1 | cdfc6345080dfa9c45d323f15532ad9274385d2f |
| SHA256 | 0ca52bc5cf854e274e15ba07df97b2e75ec4e1fc2d90f23676da7fa3c95da089 |
| SHA512 | 59867bb9608c250661a6eb823f06c907d334eb4f638b04f21cf10213e5163035c37261f5213642c703dd382871a5d3ae764839c1b93e18e833d85ac0e3409f90 |
memory/1940-79-0x0000000000400000-0x00000000005D4000-memory.dmp
memory/2612-78-0x0000000000400000-0x00000000004BC000-memory.dmp
C:\Users\Admin\Documents\Resimlerim\Profiles\chrome.exe
| MD5 | 1816dd0f974fecd01a3aee390593de19 |
| SHA1 | 67c477675af6dfd5fca81669a58daae9fa8ddc8c |
| SHA256 | 4b259a4d6a566836a4e511b7ca5d0bd5775360fd52eaf89b03035d4e602431c5 |
| SHA512 | 2488732d171cbd43f283cf423d493b1294439a5a4e200b6454a24267eb8f2a815058ef4798c16198b9b6bd4dbbb5442adaf103f483b02935b098bd9fa5fe966a |
memory/1940-88-0x0000000000400000-0x00000000005D4000-memory.dmp
memory/1616-67-0x0000000000170000-0x0000000000171000-memory.dmp
memory/1616-43-0x0000000000080000-0x0000000000081000-memory.dmp
memory/2612-39-0x0000000000400000-0x00000000004BC000-memory.dmp
memory/2612-38-0x0000000000400000-0x00000000004BC000-memory.dmp
memory/2656-37-0x0000000000400000-0x0000000000406000-memory.dmp
memory/2612-34-0x0000000000400000-0x00000000004BC000-memory.dmp
memory/2612-32-0x0000000000400000-0x00000000004BC000-memory.dmp
memory/2612-30-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2612-28-0x0000000000400000-0x00000000004BC000-memory.dmp
memory/2612-26-0x0000000000400000-0x00000000004BC000-memory.dmp
memory/2612-24-0x0000000000400000-0x00000000004BC000-memory.dmp
memory/2612-23-0x0000000000400000-0x00000000004BC000-memory.dmp
memory/2612-21-0x0000000000400000-0x00000000004BC000-memory.dmp
memory/2612-20-0x0000000000400000-0x00000000004BC000-memory.dmp
memory/2612-33-0x0000000000400000-0x00000000004BC000-memory.dmp
memory/2612-17-0x0000000000400000-0x00000000004BC000-memory.dmp
memory/2612-22-0x0000000000400000-0x00000000004BC000-memory.dmp
memory/840-12-0x0000000002CC0000-0x0000000002E94000-memory.dmp
memory/840-11-0x0000000000400000-0x00000000005D4000-memory.dmp
memory/2656-10-0x0000000000400000-0x0000000000406000-memory.dmp
memory/2656-7-0x0000000000400000-0x0000000000406000-memory.dmp
memory/840-1-0x0000000000020000-0x0000000000023000-memory.dmp
memory/840-0-0x0000000000400000-0x00000000005D4000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-39690363-730359138-1046745555-1000\88603cb2913a7df3fbd16b5f958e6447_793829ab-9e00-42f6-8ab9-a6ffde9cf44a
| MD5 | 5fc2ac2a310f49c14d195230b91a8885 |
| SHA1 | 90855cc11136ba31758fe33b5cf9571f9a104879 |
| SHA256 | 374e0e2897a7a82e0e44794cad89df0f3cdd7703886239c1fe06d625efd48092 |
| SHA512 | ab46554df9174b9fe9beba50a640f67534c3812f64d96a1fb8adfdc136dfe730ca2370825cd45b7f87a544d6a58dd868cb5a3a7f42e2789f6d679dbc0fdd52c3 |
Analysis: behavioral2
Detonation Overview
Submitted
2024-06-28 00:19
Reported
2024-06-28 00:21
Platform
win10v2004-20240226-en
Max time kernel
151s
Max time network
153s
Command Line
Signatures
Darkcomet
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\Resimlerim\\Profiles\\chrome.exe" | C:\Users\Admin\AppData\Local\Temp\1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe | N/A |
Modifies firewall policy service
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile | C:\Users\Admin\Documents\Resimlerim\Profiles\chrome.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" | C:\Users\Admin\Documents\Resimlerim\Profiles\chrome.exe | N/A |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" | C:\Users\Admin\Documents\Resimlerim\Profiles\chrome.exe | N/A |
Modifies security service
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" | C:\Users\Admin\Documents\Resimlerim\Profiles\chrome.exe | N/A |
Windows security bypass
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\Documents\Resimlerim\Profiles\chrome.exe | N/A |
Disables RegEdit via registry modification
| Description | Indicator | Process | Target |
| Set value (int) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" | C:\Users\Admin\Documents\Resimlerim\Profiles\chrome.exe | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\notepad.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Documents\Resimlerim\Profiles\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\Resimlerim\Profiles\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\Resimlerim\Profiles\chrome.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\Resimlerim\Profiles\chrome.exe | N/A |
Windows security modification
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" | C:\Users\Admin\Documents\Resimlerim\Profiles\chrome.exe | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GoogleUpdate = "C:\\Users\\Admin\\Documents\\Resimlerim\\Profiles\\chrome.exe" | C:\Users\Admin\Documents\Resimlerim\Profiles\chrome.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GoogleUpdate = "C:\\Users\\Admin\\Documents\\Resimlerim\\Profiles\\chrome.exe" | C:\Users\Admin\AppData\Local\Temp\1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\0c0c0c0c.dll | C:\Users\Admin\AppData\Local\Temp\1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 1600 set thread context of 1568 | N/A | C:\Users\Admin\AppData\Local\Temp\1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe |
| PID 1568 set thread context of 684 | N/A | C:\Users\Admin\AppData\Local\Temp\1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe |
| PID 2576 set thread context of 4228 | N/A | C:\Users\Admin\Documents\Resimlerim\Profiles\chrome.exe | C:\Users\Admin\Documents\Resimlerim\Profiles\chrome.exe |
| PID 4228 set thread context of 2796 | N/A | C:\Users\Admin\Documents\Resimlerim\Profiles\chrome.exe | C:\Users\Admin\Documents\Resimlerim\Profiles\chrome.exe |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe | N/A |
Suspicious behavior: GetForegroundWindowSpam
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Documents\Resimlerim\Profiles\chrome.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\Resimlerim\Profiles\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\Resimlerim\Profiles\chrome.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\Resimlerim\Profiles\chrome.exe | N/A |
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe" +s +h
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe" +s +h
C:\Users\Admin\Documents\Resimlerim\Profiles\chrome.exe
"C:\Users\Admin\Documents\Resimlerim\Profiles\chrome.exe"
C:\Users\Admin\Documents\Resimlerim\Profiles\chrome.exe
"C:\Users\Admin\Documents\Resimlerim\Profiles\chrome.exe"
C:\Users\Admin\Documents\Resimlerim\Profiles\chrome.exe
"C:\Users\Admin\Documents\Resimlerim\Profiles\chrome.exe"
C:\Windows\SysWOW64\notepad.exe
notepad
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1344 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 14.160.190.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:1604 | tcp | |
| US | 8.8.8.8:53 | hepter.dyndns.biz | udp |
| US | 8.8.8.8:53 | hepter.no-ip.org | udp |
| N/A | 127.0.0.1:8211 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| US | 8.8.8.8:53 | chromewebstore.googleapis.com | udp |
| GB | 216.58.204.74:443 | chromewebstore.googleapis.com | tcp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 8.8.8.8:53 | pki.goog | udp |
| US | 216.239.32.29:80 | pki.goog | tcp |
| US | 8.8.8.8:53 | i.pki.goog | udp |
| US | 8.8.8.8:53 | i.pki.goog | udp |
| GB | 172.217.169.67:80 | i.pki.goog | tcp |
| US | 8.8.8.8:53 | 29.32.239.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 74.204.58.216.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 67.169.217.172.in-addr.arpa | udp |
| US | 8.8.8.8:53 | hepter.dyndns.biz | udp |
| US | 8.8.8.8:53 | hepter.no-ip.org | udp |
| N/A | 127.0.0.1:8211 | tcp | |
| US | 8.8.8.8:53 | 104.219.191.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:1604 | tcp | |
| US | 8.8.8.8:53 | hepter.dyndns.biz | udp |
| US | 8.8.8.8:53 | hepter.no-ip.org | udp |
| US | 8.8.8.8:53 | 86.23.85.13.in-addr.arpa | udp |
| N/A | 127.0.0.1:8211 | tcp | |
| US | 8.8.8.8:53 | 206.23.85.13.in-addr.arpa | udp |
| N/A | 127.0.0.1:1604 | tcp | |
| US | 8.8.8.8:53 | hepter.dyndns.biz | udp |
| US | 8.8.8.8:53 | hepter.no-ip.org | udp |
| N/A | 127.0.0.1:8211 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| US | 8.8.8.8:53 | hepter.dyndns.biz | udp |
| US | 8.8.8.8:53 | hepter.no-ip.org | udp |
| N/A | 127.0.0.1:8211 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| US | 8.8.8.8:53 | hepter.dyndns.biz | udp |
| US | 8.8.8.8:53 | hepter.no-ip.org | udp |
| N/A | 127.0.0.1:8211 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| US | 8.8.8.8:53 | hepter.dyndns.biz | udp |
| US | 8.8.8.8:53 | hepter.no-ip.org | udp |
| N/A | 127.0.0.1:8211 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| US | 8.8.8.8:53 | hepter.dyndns.biz | udp |
| US | 8.8.8.8:53 | hepter.no-ip.org | udp |
| N/A | 127.0.0.1:8211 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| US | 8.8.8.8:53 | hepter.dyndns.biz | udp |
| US | 8.8.8.8:53 | hepter.no-ip.org | udp |
| N/A | 127.0.0.1:8211 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| US | 8.8.8.8:53 | hepter.dyndns.biz | udp |
| US | 8.8.8.8:53 | hepter.no-ip.org | udp |
| N/A | 127.0.0.1:8211 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| US | 8.8.8.8:53 | hepter.no-ip.org | udp |
| N/A | 127.0.0.1:8211 | tcp | |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| N/A | 127.0.0.1:1604 | tcp | |
| US | 8.8.8.8:53 | hepter.dyndns.biz | udp |
| US | 8.8.8.8:53 | hepter.no-ip.org | udp |
| N/A | 127.0.0.1:8211 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| US | 8.8.8.8:53 | hepter.dyndns.biz | udp |
| US | 8.8.8.8:53 | hepter.no-ip.org | udp |
| N/A | 127.0.0.1:8211 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| US | 8.8.8.8:53 | hepter.dyndns.biz | udp |
| US | 8.8.8.8:53 | hepter.no-ip.org | udp |
| US | 8.8.8.8:53 | 14.227.111.52.in-addr.arpa | udp |
| N/A | 127.0.0.1:8211 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| US | 8.8.8.8:53 | hepter.dyndns.biz | udp |
| US | 8.8.8.8:53 | hepter.no-ip.org | udp |
| N/A | 127.0.0.1:8211 | tcp | |
| US | 8.8.8.8:53 | 82.90.14.23.in-addr.arpa | udp |
| N/A | 127.0.0.1:1604 | tcp | |
| US | 8.8.8.8:53 | hepter.dyndns.biz | udp |
| N/A | 127.0.0.1:8211 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| US | 8.8.8.8:53 | hepter.dyndns.biz | udp |
| US | 8.8.8.8:53 | hepter.no-ip.org | udp |
| N/A | 127.0.0.1:8211 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| US | 8.8.8.8:53 | hepter.dyndns.biz | udp |
| US | 8.8.8.8:53 | hepter.no-ip.org | udp |
| N/A | 127.0.0.1:8211 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| US | 8.8.8.8:53 | hepter.dyndns.biz | udp |
| US | 8.8.8.8:53 | hepter.no-ip.org | udp |
| N/A | 127.0.0.1:8211 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| US | 8.8.8.8:53 | hepter.dyndns.biz | udp |
| US | 8.8.8.8:53 | hepter.no-ip.org | udp |
| N/A | 127.0.0.1:8211 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| US | 8.8.8.8:53 | hepter.dyndns.biz | udp |
| US | 8.8.8.8:53 | hepter.no-ip.org | udp |
| N/A | 127.0.0.1:8211 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| US | 8.8.8.8:53 | hepter.no-ip.org | udp |
| N/A | 127.0.0.1:8211 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| US | 8.8.8.8:53 | hepter.dyndns.biz | udp |
| US | 8.8.8.8:53 | hepter.no-ip.org | udp |
| N/A | 127.0.0.1:8211 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| US | 8.8.8.8:53 | hepter.dyndns.biz | udp |
| US | 8.8.8.8:53 | hepter.no-ip.org | udp |
| N/A | 127.0.0.1:8211 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| US | 8.8.8.8:53 | hepter.dyndns.biz | udp |
| US | 8.8.8.8:53 | hepter.no-ip.org | udp |
| N/A | 127.0.0.1:8211 | tcp | |
| US | 8.8.8.8:53 | 10.173.189.20.in-addr.arpa | udp |
| N/A | 127.0.0.1:1604 | tcp | |
| US | 8.8.8.8:53 | hepter.dyndns.biz | udp |
| US | 8.8.8.8:53 | hepter.no-ip.org | udp |
| N/A | 127.0.0.1:8211 | tcp | |
| N/A | 127.0.0.1:1604 | tcp | |
| US | 8.8.8.8:53 | udp |
Files
memory/1600-0-0x0000000000400000-0x00000000005D4000-memory.dmp
memory/1600-1-0x00000000001C0000-0x00000000001C3000-memory.dmp
C:\Windows\SysWOW64\0c0c0c0c.dll
| MD5 | df5c622697dc8c743f3884914a9e4d99 |
| SHA1 | cdfc6345080dfa9c45d323f15532ad9274385d2f |
| SHA256 | 0ca52bc5cf854e274e15ba07df97b2e75ec4e1fc2d90f23676da7fa3c95da089 |
| SHA512 | 59867bb9608c250661a6eb823f06c907d334eb4f638b04f21cf10213e5163035c37261f5213642c703dd382871a5d3ae764839c1b93e18e833d85ac0e3409f90 |
memory/1568-8-0x0000000000400000-0x0000000000406000-memory.dmp
memory/1600-10-0x0000000000400000-0x00000000005D4000-memory.dmp
memory/1568-11-0x0000000000400000-0x0000000000406000-memory.dmp
memory/684-16-0x0000000000400000-0x00000000004BC000-memory.dmp
memory/684-17-0x0000000000400000-0x00000000004BC000-memory.dmp
memory/1568-18-0x0000000000400000-0x0000000000406000-memory.dmp
memory/684-20-0x0000000000400000-0x00000000004BC000-memory.dmp
memory/684-21-0x0000000000400000-0x00000000004BC000-memory.dmp
memory/684-22-0x0000000000400000-0x00000000004BC000-memory.dmp
memory/5100-26-0x0000000001360000-0x0000000001361000-memory.dmp
C:\Users\Admin\Documents\Resimlerim\Profiles\chrome.exe
| MD5 | 1816dd0f974fecd01a3aee390593de19 |
| SHA1 | 67c477675af6dfd5fca81669a58daae9fa8ddc8c |
| SHA256 | 4b259a4d6a566836a4e511b7ca5d0bd5775360fd52eaf89b03035d4e602431c5 |
| SHA512 | 2488732d171cbd43f283cf423d493b1294439a5a4e200b6454a24267eb8f2a815058ef4798c16198b9b6bd4dbbb5442adaf103f483b02935b098bd9fa5fe966a |
memory/684-91-0x0000000000400000-0x00000000004BC000-memory.dmp
memory/4228-95-0x0000000000400000-0x0000000000406000-memory.dmp
memory/2576-99-0x0000000000400000-0x00000000005D4000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3808065738-1666277613-1125846146-1000\88603cb2913a7df3fbd16b5f958e6447_2397ee06-28fe-4eaa-8777-f7014368c353
| MD5 | 5fc2ac2a310f49c14d195230b91a8885 |
| SHA1 | 90855cc11136ba31758fe33b5cf9571f9a104879 |
| SHA256 | 374e0e2897a7a82e0e44794cad89df0f3cdd7703886239c1fe06d625efd48092 |
| SHA512 | ab46554df9174b9fe9beba50a640f67534c3812f64d96a1fb8adfdc136dfe730ca2370825cd45b7f87a544d6a58dd868cb5a3a7f42e2789f6d679dbc0fdd52c3 |
memory/2796-103-0x0000000000400000-0x00000000004BC000-memory.dmp
memory/2796-107-0x0000000000400000-0x00000000004BC000-memory.dmp
memory/2796-106-0x0000000000400000-0x00000000004BC000-memory.dmp
memory/2796-109-0x0000000000400000-0x00000000004BC000-memory.dmp
memory/2796-110-0x0000000000400000-0x00000000004BC000-memory.dmp
memory/5044-108-0x0000000001330000-0x0000000001331000-memory.dmp
memory/4228-104-0x0000000000400000-0x0000000000406000-memory.dmp
memory/2796-111-0x0000000000400000-0x00000000004BC000-memory.dmp
memory/2796-112-0x0000000000400000-0x00000000004BC000-memory.dmp
memory/2796-113-0x0000000000400000-0x00000000004BC000-memory.dmp
memory/2796-114-0x0000000000400000-0x00000000004BC000-memory.dmp
memory/2796-115-0x0000000000400000-0x00000000004BC000-memory.dmp
memory/2796-116-0x0000000000400000-0x00000000004BC000-memory.dmp
memory/2796-117-0x0000000000400000-0x00000000004BC000-memory.dmp
memory/2796-118-0x0000000000400000-0x00000000004BC000-memory.dmp
memory/2796-119-0x0000000000400000-0x00000000004BC000-memory.dmp
memory/2796-120-0x0000000000400000-0x00000000004BC000-memory.dmp
memory/2796-121-0x0000000000400000-0x00000000004BC000-memory.dmp
memory/2796-122-0x0000000000400000-0x00000000004BC000-memory.dmp
memory/2796-123-0x0000000000400000-0x00000000004BC000-memory.dmp