Malware Analysis Report

2024-08-06 18:39

Sample ID 240702-jxp4patbqd
Target 1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118
SHA256 528a35e8c1404c04455483197731067f6ee0ade835fb8d7a3c92cee5f941383d
Tags
darkcomet guest16_min persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK Matrix

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

528a35e8c1404c04455483197731067f6ee0ade835fb8d7a3c92cee5f941383d

Threat Level: Known bad

The file 1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

darkcomet guest16_min persistence rat trojan

Darkcomet

Checks computer location settings

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Modifies registry class

Suspicious behavior: EnumeratesProcesses

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK Matrix V13

Initial Access
TA0001
Execution
TA0002
Persistence
TA0003
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Privilege Escalation
TA0004
Boot or Logon Autostart Execution
T1547
Registry Run Keys / Startup Folder
T1547.001
Defense Evasion
TA0005
Modify Registry
T1112
Credential Access
TA0006
Discovery
TA0007
System Information Discovery
T1082
Query Registry
T1012
Lateral Movement
TA0008
Collection
TA0009
Exfiltration
TA0010
Command and Control
TA0011
Impact
TA0040
Resource Development
TA0042
Reconnaissance
TA0043

Analysis: static1

Detonation Overview

Reported

2024-07-02 08:03

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-02 08:03

Reported

2024-07-02 08:05

Platform

win7-20240419-en

Max time kernel

150s

Max time network

125s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe"

Signatures

Darkcomet

trojan rat darkcomet

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Vatec = "C:\\Users\\Admin\\AppData\\Roaming\\Vatec.exe" C:\Windows\SysWOW64\WScript.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1320 set thread context of 2696 N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

Enumerates physical storage devices

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe N/A
Token: 34 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe N/A
Token: 35 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1320 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1320 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1320 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1320 wrote to memory of 3028 N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1320 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 1320 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 1320 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 1320 wrote to memory of 3056 N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 1320 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 1320 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 1320 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 1320 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 1320 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 1320 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 1320 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 1320 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 1320 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 1320 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 1320 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 1320 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 1320 wrote to memory of 2696 N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C ren C:\Users\Admin\AppData\Roaming\Vatec Vatec.exe && exit

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Temp344.vbs"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 vatec.servegame.com udp

Files

memory/1320-0-0x0000000074A51000-0x0000000074A52000-memory.dmp

memory/1320-1-0x0000000074A50000-0x0000000074FFB000-memory.dmp

memory/1320-2-0x0000000074A50000-0x0000000074FFB000-memory.dmp

C:\Users\Admin\AppData\Roaming\Vatec

MD5 1e90f0087cf0dd6d9be34fe5c16bbde2
SHA1 01b5d08a81dd0f7d9075b97296b416d5c5fdffc7
SHA256 528a35e8c1404c04455483197731067f6ee0ade835fb8d7a3c92cee5f941383d
SHA512 e47c2effb1a033a8b69c85c3226fa3347ca3e097dc77008e1b38726c5b8a1bac3234c9399fb570ba83f63594f729bef77f0e2d31962e1c35eaf248450a6f5a0a

C:\Users\Admin\AppData\Local\Temp\Temp344.vbs

MD5 b8e95c12fae9d6f72897df485a9ca3c3
SHA1 148303755c19ac30b181f4997c89892985e81c45
SHA256 e681291d0d3db818e602ed9bd3e9010e4e0938b9f604c1c327540a13fd11a904
SHA512 36aa388a56d755ef3afb6da59161d466a1b17c00006a72ec04d959e9660bc80eaeb7fdf06bdb88dc0ebd16c7cf04cec7562b0e64361a1f92f52f1daf751f288a

memory/2696-9-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/2696-11-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/2696-13-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/2696-15-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/2696-17-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/2696-23-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/2696-26-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/2696-27-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/2696-25-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2696-21-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/2696-20-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/2696-29-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/2696-28-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/2696-30-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1320-31-0x0000000074A50000-0x0000000074FFB000-memory.dmp

memory/2696-32-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1320-33-0x0000000074A50000-0x0000000074FFB000-memory.dmp

memory/2696-34-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/1320-35-0x0000000074A50000-0x0000000074FFB000-memory.dmp

memory/2696-36-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/2696-37-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/2696-38-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/2696-39-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/2696-40-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/2696-41-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/2696-42-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/2696-43-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/2696-44-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/2696-45-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/2696-46-0x0000000000400000-0x00000000004B0000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-02 08:03

Reported

2024-07-02 08:05

Platform

win10v2004-20240508-en

Max time kernel

150s

Max time network

154s

Command Line

"C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe"

Signatures

Darkcomet

trojan rat darkcomet

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Vatec = "C:\\Users\\Admin\\AppData\\Roaming\\Vatec.exe" C:\Windows\SysWOW64\WScript.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 1140 set thread context of 4412 N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

Enumerates physical storage devices

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000_Classes\Local Settings C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A

Suspicious behavior: EnumeratesProcesses

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Token: 34 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Token: 35 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Token: 36 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 1140 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 4824 N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe C:\Windows\SysWOW64\cmd.exe
PID 1140 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 1140 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 1140 wrote to memory of 2940 N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe C:\Windows\SysWOW64\WScript.exe
PID 1140 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1140 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1140 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1140 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1140 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1140 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1140 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1140 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1140 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1140 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1140 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1140 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1140 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1140 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

Processes

C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\1e90f0087cf0dd6d9be34fe5c16bbde2_JaffaCakes118.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /C ren C:\Users\Admin\AppData\Roaming\Vatec Vatec.exe && exit

C:\Windows\SysWOW64\WScript.exe

"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Local\Temp\Temp344.vbs"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

Network

Country Destination Domain Proto
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 172.214.232.199.in-addr.arpa udp
US 8.8.8.8:53 vatec.servegame.com udp
US 8.8.8.8:53 133.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 vatec.servegame.com udp
US 8.8.8.8:53 vatec.servegame.com udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 vatec.servegame.com udp
US 8.8.8.8:53 vatec.servegame.com udp
US 8.8.8.8:53 vatec.servegame.com udp
US 8.8.8.8:53 vatec.servegame.com udp
US 8.8.8.8:53 183.59.114.20.in-addr.arpa udp
US 8.8.8.8:53 56.126.166.20.in-addr.arpa udp
US 8.8.8.8:53 35.15.31.184.in-addr.arpa udp
US 8.8.8.8:53 vatec.servegame.com udp
US 8.8.8.8:53 vatec.servegame.com udp
US 8.8.8.8:53 vatec.servegame.com udp
US 8.8.8.8:53 vatec.servegame.com udp
US 8.8.8.8:53 vatec.servegame.com udp
US 8.8.8.8:53 vatec.servegame.com udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 vatec.servegame.com udp
US 8.8.8.8:53 vatec.servegame.com udp
US 8.8.8.8:53 vatec.servegame.com udp
US 52.111.227.14:443 tcp
US 8.8.8.8:53 vatec.servegame.com udp
US 8.8.8.8:53 vatec.servegame.com udp
US 8.8.8.8:53 vatec.servegame.com udp
US 8.8.8.8:53 13.227.111.52.in-addr.arpa udp
US 8.8.8.8:53 vatec.servegame.com udp
US 8.8.8.8:53 vatec.servegame.com udp
US 8.8.8.8:53 vatec.servegame.com udp
US 8.8.8.8:53 vatec.servegame.com udp
US 8.8.8.8:53 vatec.servegame.com udp
US 8.8.8.8:53 vatec.servegame.com udp
US 8.8.8.8:53 vatec.servegame.com udp
US 8.8.8.8:53 vatec.servegame.com udp
US 8.8.8.8:53 vatec.servegame.com udp
US 8.8.8.8:53 vatec.servegame.com udp
US 8.8.8.8:53 vatec.servegame.com udp

Files

memory/1140-0-0x00007FFB457B0000-0x00007FFB459A5000-memory.dmp

C:\Users\Admin\AppData\Roaming\Vatec

MD5 1e90f0087cf0dd6d9be34fe5c16bbde2
SHA1 01b5d08a81dd0f7d9075b97296b416d5c5fdffc7
SHA256 528a35e8c1404c04455483197731067f6ee0ade835fb8d7a3c92cee5f941383d
SHA512 e47c2effb1a033a8b69c85c3226fa3347ca3e097dc77008e1b38726c5b8a1bac3234c9399fb570ba83f63594f729bef77f0e2d31962e1c35eaf248450a6f5a0a

C:\Users\Admin\AppData\Local\Temp\Temp344.vbs

MD5 b8e95c12fae9d6f72897df485a9ca3c3
SHA1 148303755c19ac30b181f4997c89892985e81c45
SHA256 e681291d0d3db818e602ed9bd3e9010e4e0938b9f604c1c327540a13fd11a904
SHA512 36aa388a56d755ef3afb6da59161d466a1b17c00006a72ec04d959e9660bc80eaeb7fdf06bdb88dc0ebd16c7cf04cec7562b0e64361a1f92f52f1daf751f288a

memory/4412-7-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/4412-8-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/4412-9-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/4412-10-0x00007FFB457B0000-0x00007FFB459A5000-memory.dmp

memory/4412-13-0x00007FFB457B0000-0x00007FFB459A5000-memory.dmp

memory/4412-11-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/4412-12-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/4412-14-0x00007FFB457B0000-0x00007FFB459A5000-memory.dmp

memory/4412-15-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/4412-16-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/4412-17-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/4412-19-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/4412-20-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/4412-21-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/4412-22-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/4412-23-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/4412-24-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/4412-25-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/4412-26-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/4412-27-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/4412-28-0x0000000000400000-0x00000000004B0000-memory.dmp

memory/4412-29-0x0000000000400000-0x00000000004B0000-memory.dmp