Malware Analysis Report

2025-04-13 23:11

Sample ID 240723-akzypawfkc
Target 65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118
SHA256 2d2abd10b60d6464e062eaa347bbeb48aa78a9cde4217a1f2c2cfc301953c9de
Tags
darkcomet spreaded persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

2d2abd10b60d6464e062eaa347bbeb48aa78a9cde4217a1f2c2cfc301953c9de

Threat Level: Known bad

The file 65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

darkcomet spreaded persistence rat trojan

Darkcomet

Executes dropped EXE

Checks computer location settings

Loads dropped DLL

Adds Run key to start application

Suspicious use of SetThreadContext

Unsigned PE

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Suspicious use of SetWindowsHookEx

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-07-23 00:16

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-07-23 00:16

Reported

2024-07-23 01:20

Platform

win7-20240705-en

Max time kernel

150s

Max time network

122s

Command Line

"C:\Users\Admin\AppData\Local\Temp\65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe"

Signatures

Darkcomet

trojan rat darkcomet

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NPaqpR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1385883288-3042840365-2734249351-1000\Software\Microsoft\Windows\CurrentVersion\Run\MSE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\javawi.exe" C:\Users\Admin\AppData\Local\Temp\NPaqpR.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2376 set thread context of 2752 N/A C:\Users\Admin\AppData\Local\Temp\65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2376 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2376 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2376 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2376 wrote to memory of 2972 N/A C:\Users\Admin\AppData\Local\Temp\65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 2972 wrote to memory of 2416 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2972 wrote to memory of 2416 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2972 wrote to memory of 2416 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2972 wrote to memory of 2416 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2376 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\NPaqpR.exe
PID 2376 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\NPaqpR.exe
PID 2376 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\NPaqpR.exe
PID 2376 wrote to memory of 2892 N/A C:\Users\Admin\AppData\Local\Temp\65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\NPaqpR.exe
PID 2376 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2376 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2376 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2376 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2376 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2376 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2376 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2376 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2376 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2376 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2376 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2376 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2376 wrote to memory of 2752 N/A C:\Users\Admin\AppData\Local\Temp\65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 2752 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\notepad.exe
PID 2752 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\notepad.exe
PID 2752 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\notepad.exe
PID 2752 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\notepad.exe
PID 2752 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\notepad.exe
PID 2752 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\notepad.exe
PID 2752 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\notepad.exe
PID 2752 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\notepad.exe
PID 2752 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\notepad.exe
PID 2752 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\notepad.exe
PID 2752 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\notepad.exe
PID 2752 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\notepad.exe
PID 2752 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\notepad.exe
PID 2752 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\notepad.exe
PID 2752 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\notepad.exe
PID 2752 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\notepad.exe
PID 2752 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\notepad.exe
PID 2752 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\notepad.exe
PID 2752 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\notepad.exe
PID 2752 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\notepad.exe
PID 2752 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\notepad.exe
PID 2752 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\notepad.exe
PID 2752 wrote to memory of 2956 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\notepad.exe

Processes

C:\Users\Admin\AppData\Local\Temp\65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\3u0ymqul.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBB54.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCBB53.tmp"

C:\Users\Admin\AppData\Local\Temp\NPaqpR.exe

"C:\Users\Admin\AppData\Local\Temp\NPaqpR.exe"

C:\Users\Admin\AppData\Local\Temp\svchost.exe

C:\Users\Admin\AppData\Local\Temp\svchost.exe

C:\Windows\SysWOW64\notepad.exe

notepad

Network

Country Destination Domain Proto
US 8.8.8.8:53 simproxid.no-ip.org udp

Files

memory/2376-0-0x0000000074501000-0x0000000074502000-memory.dmp

memory/2376-1-0x0000000074500000-0x0000000074AAB000-memory.dmp

memory/2376-2-0x0000000074500000-0x0000000074AAB000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\3u0ymqul.cmdline

MD5 9003215acbdcf7886bd99e71aa0dfba6
SHA1 078137a917bcb3d613a49229889f1865ba1766d3
SHA256 19e8d5ee6a4121428d0f28e355719942f6f86e68aaf57f41702af7947e40d6db
SHA512 9d5c918182de776a81a933e30fdb0e2db873b2275e7da6a9cfd7510d7ee8d4d95f77063c2034b039852481fe1eaa3fe851a73bebba6b7813dd030e667f6da70b

\??\c:\Users\Admin\AppData\Local\Temp\3u0ymqul.0.cs

MD5 88cb62593ae10e37e02f7f43aee77246
SHA1 ed80fdfb7d3fbb035a544e712e92bc2438f6b089
SHA256 31a5a148395b88114101dedd9e5418b04b1b57d0964f0088b431aa4835631390
SHA512 811eef58966f3eb0723a6c6944f2ca9f504445260cdeb0e40faf3353924686634b8acdec0f35b4d9e1aa243ccae1cb419163630b822e1dba66e16f8f22bcc9f5

memory/2972-8-0x0000000074500000-0x0000000074AAB000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\CSCBB53.tmp

MD5 14e95655e74fe8a8c7df3d505720ea45
SHA1 158511920ab075fd1f4eb51dbc47ccf2953358aa
SHA256 3cbee629e0898006d2e85803f1a78d29a26490ff88a7348313b07dd9c39ec398
SHA512 f01213dcae74c07ad0e07f9ff1f2eed11ef62feed100e78222c61a3495f4ec157fbc53123e05f9e938f24ca177e5e1dc49c9649636e333261d6efff843b696fa

C:\Users\Admin\AppData\Local\Temp\RESBB54.tmp

MD5 91b3570eb53f524b6a6d48f69e8068c3
SHA1 f0abdbc7ca4837ba9f400cc080b01a793b28585e
SHA256 c7c8bdeefb5056e66963adf86f8a569a694cb3116c3cab8c99012d1a4f2b61da
SHA512 8ea73e04c16a7ac27008c5e67bb34d3c46e3e666aa4a8c55fc2e52fd1cd6253e883e5c70614ff0207e6f28833eeacf34c354d77252e609874889b0bce04084a1

memory/2972-15-0x0000000074500000-0x0000000074AAB000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\NPaqpR.exe

MD5 194da627fc66d769974bf6217d0f0d34
SHA1 084c303019facdfb275a6d0277677cf4c4a69fa8
SHA256 b5c7bd0bb9dd7ed651bf41af74a63c745f0c189aacf12b78d00ae0340944b9f7
SHA512 4309223412108cbcdf712124e6fd7913645195c2b49a33aac01ed1e14e8fc84db8a3e9549eaf0f7b3c34708942226c367748e5886874dbbd644eaf3e03b04dec

\Users\Admin\AppData\Local\Temp\svchost.exe

MD5 ed797d8dc2c92401985d162e42ffa450
SHA1 0f02fc517c7facc4baefde4fe9467fb6488ebabe
SHA256 b746362010a101cb5931bc066f0f4d3fc740c02a68c1f37fc3c8e6c87fd7cb1e
SHA512 e831a6ff987f3ef29982da16afad06938b68eddd43c234ba88d1c96a1b5547f2284baf35cbb3a5bfd75e7f0445d14daa014e0ba00b4db72c67f83f0a314c80c2

memory/2752-26-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/2752-28-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/2376-47-0x0000000074500000-0x0000000074AAB000-memory.dmp

memory/2752-46-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/2752-43-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/2752-42-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2752-40-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/2752-38-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/2752-87-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/2752-88-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/2956-86-0x00000000001E0000-0x00000000001E1000-memory.dmp

memory/2956-48-0x0000000000080000-0x0000000000081000-memory.dmp

memory/2752-36-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/2752-34-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/2752-32-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/2752-30-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/2752-89-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/2752-90-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/2752-91-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/2752-92-0x0000000000400000-0x00000000004B5000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-07-23 00:16

Reported

2024-07-23 01:20

Platform

win10v2004-20240709-en

Max time kernel

150s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe"

Signatures

Darkcomet

trojan rat darkcomet

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\NPaqpR.exe N/A
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1176886754-713327781-2233697964-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MSE = "C:\\Users\\Admin\\AppData\\Local\\Temp\\javawi.exe" C:\Users\Admin\AppData\Local\Temp\NPaqpR.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 5344 set thread context of 5980 N/A C:\Users\Admin\AppData\Local\Temp\65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe

Enumerates physical storage devices

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe N/A
Token: SeIncreaseQuotaPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeSecurityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeSystemtimePrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeBackupPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeRestorePrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeUndockPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeManageVolumePrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeImpersonatePrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: 33 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: 34 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: 35 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A
Token: 36 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 5344 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 5344 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 5344 wrote to memory of 4412 N/A C:\Users\Admin\AppData\Local\Temp\65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe
PID 4412 wrote to memory of 912 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4412 wrote to memory of 912 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 4412 wrote to memory of 912 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 5344 wrote to memory of 6112 N/A C:\Users\Admin\AppData\Local\Temp\65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\NPaqpR.exe
PID 5344 wrote to memory of 6112 N/A C:\Users\Admin\AppData\Local\Temp\65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\NPaqpR.exe
PID 5344 wrote to memory of 6112 N/A C:\Users\Admin\AppData\Local\Temp\65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\NPaqpR.exe
PID 5344 wrote to memory of 5980 N/A C:\Users\Admin\AppData\Local\Temp\65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 5344 wrote to memory of 5980 N/A C:\Users\Admin\AppData\Local\Temp\65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 5344 wrote to memory of 5980 N/A C:\Users\Admin\AppData\Local\Temp\65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 5344 wrote to memory of 5980 N/A C:\Users\Admin\AppData\Local\Temp\65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 5344 wrote to memory of 5980 N/A C:\Users\Admin\AppData\Local\Temp\65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 5344 wrote to memory of 5980 N/A C:\Users\Admin\AppData\Local\Temp\65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 5344 wrote to memory of 5980 N/A C:\Users\Admin\AppData\Local\Temp\65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 5344 wrote to memory of 5980 N/A C:\Users\Admin\AppData\Local\Temp\65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 5344 wrote to memory of 5980 N/A C:\Users\Admin\AppData\Local\Temp\65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 5344 wrote to memory of 5980 N/A C:\Users\Admin\AppData\Local\Temp\65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 5344 wrote to memory of 5980 N/A C:\Users\Admin\AppData\Local\Temp\65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 5344 wrote to memory of 5980 N/A C:\Users\Admin\AppData\Local\Temp\65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 5344 wrote to memory of 5980 N/A C:\Users\Admin\AppData\Local\Temp\65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 5344 wrote to memory of 5980 N/A C:\Users\Admin\AppData\Local\Temp\65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\svchost.exe
PID 5980 wrote to memory of 5916 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\notepad.exe
PID 5980 wrote to memory of 5916 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\notepad.exe
PID 5980 wrote to memory of 5916 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\notepad.exe
PID 5980 wrote to memory of 5916 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\notepad.exe
PID 5980 wrote to memory of 5916 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\notepad.exe
PID 5980 wrote to memory of 5916 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\notepad.exe
PID 5980 wrote to memory of 5916 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\notepad.exe
PID 5980 wrote to memory of 5916 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\notepad.exe
PID 5980 wrote to memory of 5916 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\notepad.exe
PID 5980 wrote to memory of 5916 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\notepad.exe
PID 5980 wrote to memory of 5916 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\notepad.exe
PID 5980 wrote to memory of 5916 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\notepad.exe
PID 5980 wrote to memory of 5916 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\notepad.exe
PID 5980 wrote to memory of 5916 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\notepad.exe
PID 5980 wrote to memory of 5916 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\notepad.exe
PID 5980 wrote to memory of 5916 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\notepad.exe
PID 5980 wrote to memory of 5916 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\notepad.exe
PID 5980 wrote to memory of 5916 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\notepad.exe
PID 5980 wrote to memory of 5916 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\notepad.exe
PID 5980 wrote to memory of 5916 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\notepad.exe
PID 5980 wrote to memory of 5916 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\notepad.exe
PID 5980 wrote to memory of 5916 N/A C:\Users\Admin\AppData\Local\Temp\svchost.exe C:\Windows\SysWOW64\notepad.exe

Processes

C:\Users\Admin\AppData\Local\Temp\65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\65642f6048c56ff3ae6fb6cb91330e15_JaffaCakes118.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\mfo8zr_a.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESB92F.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCB92E.tmp"

C:\Users\Admin\AppData\Local\Temp\NPaqpR.exe

"C:\Users\Admin\AppData\Local\Temp\NPaqpR.exe"

C:\Users\Admin\AppData\Local\Temp\svchost.exe

C:\Users\Admin\AppData\Local\Temp\svchost.exe

C:\Windows\SysWOW64\notepad.exe

notepad

Network

Country Destination Domain Proto
US 8.8.8.8:53 8.8.8.8.in-addr.arpa udp
US 8.8.8.8:53 13.86.106.20.in-addr.arpa udp
US 8.8.8.8:53 23.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 g.bing.com udp
US 204.79.197.237:443 g.bing.com tcp
US 8.8.8.8:53 237.197.79.204.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 8.8.8.8:53 simproxid.no-ip.org udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 72.32.126.40.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 58.99.105.20.in-addr.arpa udp
US 8.8.8.8:53 simproxid.no-ip.org udp
US 8.8.8.8:53 104.219.191.52.in-addr.arpa udp
US 8.8.8.8:53 simproxid.no-ip.org udp
US 8.8.8.8:53 simproxid.no-ip.org udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
US 8.8.8.8:53 simproxid.no-ip.org udp
US 8.8.8.8:53 simproxid.no-ip.org udp
US 8.8.8.8:53 103.169.127.40.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 172.210.232.199.in-addr.arpa udp
US 8.8.8.8:53 simproxid.no-ip.org udp
US 8.8.8.8:53 simproxid.no-ip.org udp
US 8.8.8.8:53 simproxid.no-ip.org udp
US 8.8.8.8:53 simproxid.no-ip.org udp
US 8.8.8.8:53 simproxid.no-ip.org udp
US 8.8.8.8:53 simproxid.no-ip.org udp
US 8.8.8.8:53 45.56.20.217.in-addr.arpa udp
US 8.8.8.8:53 simproxid.no-ip.org udp
US 8.8.8.8:53 35.58.20.217.in-addr.arpa udp
US 8.8.8.8:53 57.169.31.20.in-addr.arpa udp
US 8.8.8.8:53 simproxid.no-ip.org udp
US 8.8.8.8:53 simproxid.no-ip.org udp
US 8.8.8.8:53 simproxid.no-ip.org udp
US 8.8.8.8:53 simproxid.no-ip.org udp
US 8.8.8.8:53 simproxid.no-ip.org udp
US 8.8.8.8:53 simproxid.no-ip.org udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 simproxid.no-ip.org udp
US 8.8.8.8:53 simproxid.no-ip.org udp
US 8.8.8.8:53 simproxid.no-ip.org udp
US 8.8.8.8:53 simproxid.no-ip.org udp
US 8.8.8.8:53 simproxid.no-ip.org udp
US 8.8.8.8:53 simproxid.no-ip.org udp
US 8.8.8.8:53 simproxid.no-ip.org udp
US 8.8.8.8:53 simproxid.no-ip.org udp
US 8.8.8.8:53 simproxid.no-ip.org udp
US 8.8.8.8:53 simproxid.no-ip.org udp
US 8.8.8.8:53 13.173.189.20.in-addr.arpa udp
US 8.8.8.8:53 simproxid.no-ip.org udp

Files

memory/5344-0-0x0000000074A12000-0x0000000074A13000-memory.dmp

memory/5344-1-0x0000000074A10000-0x0000000074FC1000-memory.dmp

memory/5344-2-0x0000000074A10000-0x0000000074FC1000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\mfo8zr_a.cmdline

MD5 d44fa53ca7076d3784ee760f14e5594c
SHA1 a14b6eb84ee75a73bf9848ae034c785ac41c60bb
SHA256 7648a9774e0820b68468828f020f26ce82df453b12f399a7c4a8a78d8f5111a9
SHA512 c7bafe94027a8d96a5b2cd21c6501c86813d7c0bc4cbdb9aa8a72cb212ca91221a047a34a8fb1c99a651a99a6eb31f654fc6d40e3a69428bf4bd47354aeb5307

\??\c:\Users\Admin\AppData\Local\Temp\mfo8zr_a.0.cs

MD5 88cb62593ae10e37e02f7f43aee77246
SHA1 ed80fdfb7d3fbb035a544e712e92bc2438f6b089
SHA256 31a5a148395b88114101dedd9e5418b04b1b57d0964f0088b431aa4835631390
SHA512 811eef58966f3eb0723a6c6944f2ca9f504445260cdeb0e40faf3353924686634b8acdec0f35b4d9e1aa243ccae1cb419163630b822e1dba66e16f8f22bcc9f5

memory/4412-8-0x0000000074A10000-0x0000000074FC1000-memory.dmp

\??\c:\Users\Admin\AppData\Local\Temp\CSCB92E.tmp

MD5 14e95655e74fe8a8c7df3d505720ea45
SHA1 158511920ab075fd1f4eb51dbc47ccf2953358aa
SHA256 3cbee629e0898006d2e85803f1a78d29a26490ff88a7348313b07dd9c39ec398
SHA512 f01213dcae74c07ad0e07f9ff1f2eed11ef62feed100e78222c61a3495f4ec157fbc53123e05f9e938f24ca177e5e1dc49c9649636e333261d6efff843b696fa

C:\Users\Admin\AppData\Local\Temp\RESB92F.tmp

MD5 3932d99806d24dd184193f1dbea64e9e
SHA1 6c81f869cc1cae49c30430a6866906da3a2d750a
SHA256 8fb7b55a735a2313b43d8f4fcb556ceae5ff57dcb9b338c47db144ccf66edada
SHA512 fcaf1bbbbcd35bc0bce57097633e38a2dbe50973ebe2b6f3a9cfa0edf63b21097972fc9fb9bbb77a614883f60405f3b6d57814cbd5327a1626b741820c9fc518

memory/4412-15-0x0000000074A10000-0x0000000074FC1000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\NPaqpR.exe

MD5 9a73b6d289fdeb89fad4edfaa067ce78
SHA1 9d4087e5b2beae27ffd8bf48105186323a2001ab
SHA256 a0ebb612de0a9a528aa9b1872155ed2aae2f11d051bc3208c5803b38afaf72de
SHA512 dd1653a73f73e8a13e26429b5d20826b1aaccaccdf625184c02b7f611cfda199a0e7f733ce7ae8481a3198cfae7462478fed3be4bfaa24028b3e4c62e7de40e6

memory/6112-20-0x0000000074A10000-0x0000000074FC1000-memory.dmp

memory/6112-21-0x0000000074A10000-0x0000000074FC1000-memory.dmp

memory/5980-27-0x0000000000400000-0x00000000004B5000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\svchost.exe

MD5 e118330b4629b12368d91b9df6488be0
SHA1 ce90218c7e3b90df2a3409ec253048bb6472c2fd
SHA256 3a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9
SHA512 ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0

memory/5980-29-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/5344-31-0x0000000074A10000-0x0000000074FC1000-memory.dmp

memory/5980-32-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/5980-34-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/5916-33-0x0000000000760000-0x0000000000761000-memory.dmp

memory/5980-24-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/5980-35-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/5980-36-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/5980-37-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/6112-38-0x0000000074A10000-0x0000000074FC1000-memory.dmp

memory/5980-39-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/5980-40-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/5980-41-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/5980-42-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/5980-43-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/5980-44-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/5980-45-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/5980-46-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/5980-47-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/5980-48-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/5980-49-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/5980-50-0x0000000000400000-0x00000000004B5000-memory.dmp