darkcomet | b7823d37c3aa2026e7da5ae16479bc5eb151c43640e6c577a2a10f8aadcff040

Analysis

max time kernel
141s
max time network
129s
platform
windows7_x64
resource
win7-20240704-en
resource tags

arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system
submitted
24/07/2024, 00:15

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

6987e054d3f5db6755e33c47636e5058_JaffaCakes118.exe
Size

334KB
MD5

6987e054d3f5db6755e33c47636e5058
SHA1

7bfe09fd31d843639ce5de9119553f3e25ec64ad
SHA256

b7823d37c3aa2026e7da5ae16479bc5eb151c43640e6c577a2a10f8aadcff040
SHA512

622b02879308ab410cea9b75019947677bbd0e3f2787e1ca57845dba2c916202f3bfdec315cab21dc3c208cc8d4ea96e1c4a158ded30ad5168dda0fc13383a1f
SSDEEP

6144:Ow7mFvX4PWlLnTb2mpF4jb6dnUCL/AFKWkkeLJvEZhURqPmh469Rv:5kvYILnTtpG/2JzLpyhfe

Score

10^/10

darkcomet discovery evasion persistence rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 2 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	6987e054d3f5db6755e33c47636e5058_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
2556	attrib.exe
2848	attrib.exe

Executes dropped EXE 1 IoCs

pid	Process
2916	msdcsc.exe

Loads dropped DLL 7 IoCs

pid	Process
2712	6987e054d3f5db6755e33c47636e5058_JaffaCakes118.exe
2712	6987e054d3f5db6755e33c47636e5058_JaffaCakes118.exe
2344	WerFault.exe
2344	WerFault.exe
2344	WerFault.exe
2344	WerFault.exe
2344	WerFault.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	6987e054d3f5db6755e33c47636e5058_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\explorer = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe

Drops file in System32 directory 6 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	6987e054d3f5db6755e33c47636e5058_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	6987e054d3f5db6755e33c47636e5058_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	6987e054d3f5db6755e33c47636e5058_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 1 IoCs

pid	pid_target	Process	procid_target
2344	2916	WerFault.exe	41

System Location Discovery: System Language Discovery 1 TTPs 10 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	PING.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	6987e054d3f5db6755e33c47636e5058_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

System Network Configuration Discovery: Internet Connection Discovery 1 TTPs 1 IoCs

Adversaries may check for Internet connectivity on compromised systems.

discovery

Internet Connection Discovery

T1016.001

pid	Process
2844	PING.EXE

Modifies Internet Explorer settings 1 TTPs 36 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{D02699C1-4951-11EF-8705-5AE8573B0ABD} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NTPFirstRun = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\LastProcessed = 9013bda45eddda01	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000000000001000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "427941988"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\MFV = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000d854e951ecdca4792ad3aea80f035510000000002000000000010660000000100002000000071aacfa54a5b86f2091afb0c1161b4c5223f5442f8738d7e791e497692c9d0f2000000000e8000000002000020000000122fd0e9e3429132d8ece4122e6cfc8665d4cec9ab8d9582ce0d03580140a6e190000000ae84e03f8a96b2f4b232fc10057916958e46d6d4d9466be390ed5078ea603b1cbc6ba37c21b5f4468d00c41f5f61a19af87044b4e29f666773709375ae69fb74913baab0dbb6379413982bbd071052e82223e0e8d73a8d1c9760187830589c783fff805e479837c1f022b74ae42db593232d4f5b732a687a8ffb4f309cff3e7cd4210f65b93a4ebd3309e33a6aab202d40000000403054350029b857ad3954cd45440e46f46fadca87ddeb84876ad804a5fdfe5183f053d168d14180f48a7958c733c2f1f65e50b632ed650364a6f9b35b82c685	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Internet Explorer\TabbedBrowsing\NewTabPage\DecayDateQueue = 01000000d08c9ddf0115d1118c7a00c04fc297eb010000000d854e951ecdca4792ad3aea80f0355100000000020000000000106600000001000020000000a0fb6a0c0e77d53442aaf016f31e0d8a072831fa2a82cde47dac643affd3a58b000000000e8000000002000020000000eafa2f985eed111dee1c84c98d8bc38c096cba34fb80d25fe8106159cf025e3f20000000be93432bf0d325a65abe3e2ed1c1bdc2a7cc0635c97f233b9fcab823b43f452e400000001e819c5d22bad2f2e2bfc0b9d8a056748c1e4bbb717b6a976a2bf67d35ced306c87cd654819c9da2e0dc4508618c84f97a3c9228f1ddd718fcb8dee327ac25f9	iexplore.exe

Runs ping.exe 1 TTPs 1 IoCs

Remote System Discovery

T1018

pid	Process
2844	PING.EXE

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2712	6987e054d3f5db6755e33c47636e5058_JaffaCakes118.exe
Token: SeSecurityPrivilege	2712	6987e054d3f5db6755e33c47636e5058_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2712	6987e054d3f5db6755e33c47636e5058_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2712	6987e054d3f5db6755e33c47636e5058_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	2712	6987e054d3f5db6755e33c47636e5058_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2712	6987e054d3f5db6755e33c47636e5058_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	2712	6987e054d3f5db6755e33c47636e5058_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2712	6987e054d3f5db6755e33c47636e5058_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	2712	6987e054d3f5db6755e33c47636e5058_JaffaCakes118.exe
Token: SeBackupPrivilege	2712	6987e054d3f5db6755e33c47636e5058_JaffaCakes118.exe
Token: SeRestorePrivilege	2712	6987e054d3f5db6755e33c47636e5058_JaffaCakes118.exe
Token: SeShutdownPrivilege	2712	6987e054d3f5db6755e33c47636e5058_JaffaCakes118.exe
Token: SeDebugPrivilege	2712	6987e054d3f5db6755e33c47636e5058_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	2712	6987e054d3f5db6755e33c47636e5058_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	2712	6987e054d3f5db6755e33c47636e5058_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	2712	6987e054d3f5db6755e33c47636e5058_JaffaCakes118.exe
Token: SeUndockPrivilege	2712	6987e054d3f5db6755e33c47636e5058_JaffaCakes118.exe
Token: SeManageVolumePrivilege	2712	6987e054d3f5db6755e33c47636e5058_JaffaCakes118.exe
Token: SeImpersonatePrivilege	2712	6987e054d3f5db6755e33c47636e5058_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	2712	6987e054d3f5db6755e33c47636e5058_JaffaCakes118.exe
Token: 33	2712	6987e054d3f5db6755e33c47636e5058_JaffaCakes118.exe
Token: 34	2712	6987e054d3f5db6755e33c47636e5058_JaffaCakes118.exe
Token: 35	2712	6987e054d3f5db6755e33c47636e5058_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2916	msdcsc.exe
Token: SeSecurityPrivilege	2916	msdcsc.exe
Token: SeTakeOwnershipPrivilege	2916	msdcsc.exe
Token: SeLoadDriverPrivilege	2916	msdcsc.exe
Token: SeSystemProfilePrivilege	2916	msdcsc.exe
Token: SeSystemtimePrivilege	2916	msdcsc.exe
Token: SeProfSingleProcessPrivilege	2916	msdcsc.exe
Token: SeIncBasePriorityPrivilege	2916	msdcsc.exe
Token: SeCreatePagefilePrivilege	2916	msdcsc.exe
Token: SeBackupPrivilege	2916	msdcsc.exe
Token: SeRestorePrivilege	2916	msdcsc.exe
Token: SeShutdownPrivilege	2916	msdcsc.exe
Token: SeDebugPrivilege	2916	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	2916	msdcsc.exe
Token: SeChangeNotifyPrivilege	2916	msdcsc.exe
Token: SeRemoteShutdownPrivilege	2916	msdcsc.exe
Token: SeUndockPrivilege	2916	msdcsc.exe
Token: SeManageVolumePrivilege	2916	msdcsc.exe
Token: SeImpersonatePrivilege	2916	msdcsc.exe
Token: SeCreateGlobalPrivilege	2916	msdcsc.exe
Token: 33	2916	msdcsc.exe
Token: 34	2916	msdcsc.exe
Token: 35	2916	msdcsc.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2368	iexplore.exe

Suspicious use of SetWindowsHookEx 4 IoCs

pid	Process
2368	iexplore.exe
2368	iexplore.exe
2544	IEXPLORE.EXE
2544	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2712 wrote to memory of 2772	2712	6987e054d3f5db6755e33c47636e5058_JaffaCakes118.exe	30
PID 2712 wrote to memory of 2772	2712	6987e054d3f5db6755e33c47636e5058_JaffaCakes118.exe	30
PID 2712 wrote to memory of 2772	2712	6987e054d3f5db6755e33c47636e5058_JaffaCakes118.exe	30
PID 2712 wrote to memory of 2772	2712	6987e054d3f5db6755e33c47636e5058_JaffaCakes118.exe	30
PID 2712 wrote to memory of 2540	2712	6987e054d3f5db6755e33c47636e5058_JaffaCakes118.exe	32
PID 2712 wrote to memory of 2540	2712	6987e054d3f5db6755e33c47636e5058_JaffaCakes118.exe	32
PID 2712 wrote to memory of 2540	2712	6987e054d3f5db6755e33c47636e5058_JaffaCakes118.exe	32
PID 2712 wrote to memory of 2540	2712	6987e054d3f5db6755e33c47636e5058_JaffaCakes118.exe	32
PID 2712 wrote to memory of 2368	2712	6987e054d3f5db6755e33c47636e5058_JaffaCakes118.exe	34
PID 2712 wrote to memory of 2368	2712	6987e054d3f5db6755e33c47636e5058_JaffaCakes118.exe	34
PID 2712 wrote to memory of 2368	2712	6987e054d3f5db6755e33c47636e5058_JaffaCakes118.exe	34
PID 2712 wrote to memory of 2368	2712	6987e054d3f5db6755e33c47636e5058_JaffaCakes118.exe	34
PID 2772 wrote to memory of 2848	2772	cmd.exe	35
PID 2772 wrote to memory of 2848	2772	cmd.exe	35
PID 2772 wrote to memory of 2848	2772	cmd.exe	35
PID 2772 wrote to memory of 2848	2772	cmd.exe	35
PID 2540 wrote to memory of 2556	2540	cmd.exe	36
PID 2540 wrote to memory of 2556	2540	cmd.exe	36
PID 2540 wrote to memory of 2556	2540	cmd.exe	36
PID 2540 wrote to memory of 2556	2540	cmd.exe	36
PID 2368 wrote to memory of 2544	2368	iexplore.exe	37
PID 2368 wrote to memory of 2544	2368	iexplore.exe	37
PID 2368 wrote to memory of 2544	2368	iexplore.exe	37
PID 2368 wrote to memory of 2544	2368	iexplore.exe	37
PID 2712 wrote to memory of 2796	2712	6987e054d3f5db6755e33c47636e5058_JaffaCakes118.exe	38
PID 2712 wrote to memory of 2796	2712	6987e054d3f5db6755e33c47636e5058_JaffaCakes118.exe	38
PID 2712 wrote to memory of 2796	2712	6987e054d3f5db6755e33c47636e5058_JaffaCakes118.exe	38
PID 2712 wrote to memory of 2796	2712	6987e054d3f5db6755e33c47636e5058_JaffaCakes118.exe	38
PID 2796 wrote to memory of 2844	2796	cmd.exe	40
PID 2796 wrote to memory of 2844	2796	cmd.exe	40
PID 2796 wrote to memory of 2844	2796	cmd.exe	40
PID 2796 wrote to memory of 2844	2796	cmd.exe	40
PID 2712 wrote to memory of 2916	2712	6987e054d3f5db6755e33c47636e5058_JaffaCakes118.exe	41
PID 2712 wrote to memory of 2916	2712	6987e054d3f5db6755e33c47636e5058_JaffaCakes118.exe	41
PID 2712 wrote to memory of 2916	2712	6987e054d3f5db6755e33c47636e5058_JaffaCakes118.exe	41
PID 2712 wrote to memory of 2916	2712	6987e054d3f5db6755e33c47636e5058_JaffaCakes118.exe	41
PID 2916 wrote to memory of 1500	2916	msdcsc.exe	42
PID 2916 wrote to memory of 1500	2916	msdcsc.exe	42
PID 2916 wrote to memory of 1500	2916	msdcsc.exe	42
PID 2916 wrote to memory of 1500	2916	msdcsc.exe	42
PID 2916 wrote to memory of 2344	2916	msdcsc.exe	43
PID 2916 wrote to memory of 2344	2916	msdcsc.exe	43
PID 2916 wrote to memory of 2344	2916	msdcsc.exe	43
PID 2916 wrote to memory of 2344	2916	msdcsc.exe	43

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
2556	attrib.exe
2848	attrib.exe

C:\Users\Admin\AppData\Local\Temp\6987e054d3f5db6755e33c47636e5058_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\6987e054d3f5db6755e33c47636e5058_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2712
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2772
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
    3⤵
    - Sets file to hidden
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2848
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2540
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
    3⤵
    - Sets file to hidden
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2556
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe" C:\Users\Admin\AppData\Local\Temp\INDEX.HTML
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2368 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:2544
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2796
- - C:\Windows\SysWOW64\PING.EXE
    ping 127.0.0.1 -n 5
    3⤵
    - System Location Discovery: System Language Discovery
    - System Network Configuration Discovery: Internet Connection Discovery
    - Runs ping.exe
    PID:2844
- C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
  "C:\Windows\system32\MSDCSC\msdcsc.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1500
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2916 -s 604
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Remote System Discovery

T1018

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

System Network Configuration Discovery

T1016

Internet Connection Discovery

T1016.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3485bcaae683f7570a1919b588b4739a

SHA1
430703dc05ad7e6999f0f9fdc7fc64e24a28205a

SHA256
6d7f6cfa8d9e5cc5b70b998bcb680afdf2b9662df52f081ddb2252b537d8757b

SHA512
945847f7ee9fca73d8e2e9d51421e33065f7d91de98c28a9e705e17b2494a3a66e29d19cec41a1b428907961c89244246d6203fed15e460500b6c6d8ad831654

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
cd11daeffc3512c078e874ea829845ca

SHA1
e4baef8815d63957579a00e998266290c39433ce

SHA256
27cf0fd348da55c0e1c1aadaa4b4012e102ab14b261d2cc60b25be961e5b2770

SHA512
21e84fc25b7db33a219dfd5b3dae1003d009db2140272476753fd8af8e7c6c06580d590d237103dceb2c0262a7c31b1b17eb3bba968c720257d8da78559753b1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a68f333f5640efebfad321e6bc015f27

SHA1
26babb4a012da87c305f6e961e67381811d87a12

SHA256
acf5bfecbee918537a82e68febf45b2d750a82e1ba7ca8518602c533ba0ffa41

SHA512
62e232fd6f43ca30d0b526317e554ba9002defe2c62cbd92ab76b2db036fd27c306c4a4a8b51c7a59368244e9c97646058ffb70f25021c72f9d5dc3fce9f7253

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
16d581bf2e279440aa74959b7b68136d

SHA1
fcd9c99746eb1d89e5245cb3c74c3a486aa3865f

SHA256
e933ee657cf12d8bd68099a9629693825907abed3c637290662590147b51c48a

SHA512
8e6bbfc39dcf843e3e28de6d2012ad46e2fc7bfe073339bf2337415237f67428666debfb321b7b4821cf3ab7ce96587cdaa2ef4330199dc65e17a9ee528d7a87

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0a0e2e66df06069f19da026f39df9db8

SHA1
eb5db43432dc8856fa077fa1db58ec3f03ce8c48

SHA256
8f1e2fae919372df8cccbffd2010915b26288101ceb5ed68025668e1f2268f0b

SHA512
b26ae589ef6e4347de7a06151997e915bbf08f16d74687007665f967d5a70e752b079c670f07b6e96b27010d34224bfa6797d18ae0d0baf121041ae2c7ecdad0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
39528f547bf5919ad00e55da27933075

SHA1
02534a6a0eac336e49cf58a53ac0fc4247a72e74

SHA256
81bcc1b4cccd9fe8b28ab9411aee1f7319ca15e8af89f4eb3d2d77c9dc0035a3

SHA512
6b49c91f1f5b06e39c839cab3eab6aad9bf70e3c0de5153950192df2745e0d2512d04fe4dd352da83f6b5b97658d2ddd5dea9b8224cb0fc74694b5c7e5493b4a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7bd105d26984a449ee6207f4285228cb

SHA1
b416cf7ec192152176c0a9c82fdcbb3f7abae4bf

SHA256
cc437d13616c0dd666e876425454b151a763e239643d270ab1b2798fa41e8d34

SHA512
797533dc2800a72152794d50affb2523348711b01631930c47d435252535fc012569cce83b33509ae0ccfe23b4b53436a00b21f03e727edf591bf540717421e7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5fb6c64242ad1176d0ff53f6db24cf01

SHA1
48a98f08cb25db36fb923639688b510853c50083

SHA256
3e9ec30f6968d0179b09f99dedbee4537d8622b852271e0953f60c12820ecc19

SHA512
e0646c0cd936be8c373d98a6d4f992f0f8ee6db9c205cf8bd406f06f11d1fc378c49400f834c75a3a9e6a8ea0dd44b46188789c28cba564a4df366298f631b80

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
aa34fc2597a6413548e678a0fd7408f8

SHA1
c9723d613bb6d688891f722e24c0646cf934b046

SHA256
528cdb5965255187800ad3b852a67bb604f6eb29145c484b4125e5a924ff17a2

SHA512
92fa2a3b7bca7b155db8281a72745d662e0d36d73d1d12931586188000830bb5c4c1ecfee16961fd60cbd41ad8c36d96c8230599d80e63a6bf8b97da4dfdbabc

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
51b78d91343cae4295ef2629f6ba4bce

SHA1
3dece5458b68552880ca18a7e71a961351402181

SHA256
cf6885ffbb825ff7d70d7de9d61ab13454212dc39d8bdcfc928dcb81ac3b4c0a

SHA512
043678f3d368dc26ec606945faaa97c8a71c7340b13dbfe93f34277232473c626119fe2bb15a89a0244759d44f1f31ea3ebc140dd8164b2369df796ad6628c13

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
61163e1ab28f9c16695c3819c2b1eefb

SHA1
d8a334c2fe38369a75c7ffdbff8f283e8bb15655

SHA256
d1bf5cc92ac7cbf4b30044f3351b27c2b8b2dd4458eaa5fe2c6117b127bedb5a

SHA512
64152e5be9849ace6f8186915e677032bd4e55d6733681bd89e22d762d3790b762c5a91df059368eda4621c5a1f117a19d2ce0a135825f3d79410e629c85b2a2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7363401fdf0243f8cee7daaa54b63b48

SHA1
9b7a3d61e890327304756c755182248b9652f741

SHA256
a10d54accb53f554345fe6de5c1fa0543b1fec61ddffc3fdadc0fb46541f9d58

SHA512
d82d88195e32c9e49d3dc91dc1300eb5e7d95b94ffb2c389c2938b727ad4e8aaf16411427aa2085cc8c10b561d93054d6110d41529793070977e628c33d66022

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
af61c7d9c48939029a02b93fd1e49c92

SHA1
03ff2fe67263c01fb822f71f04a4f800b5bffa34

SHA256
96f7f74e5105af5f5bf46707180692da6be87af7184fcfb5fc0886cb7c8d2cc2

SHA512
aa6cfb15b490867524cee9f4229b03476737cae2ae2077175801ac807b914614a3c3d397ad9955162a66f990726044a35a0426962b95bbca70749718fb2904d1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e3c377a893b59ef0d8355b6dd133bc7f

SHA1
d554a7da4c173cb53839bfc21a46e96c1bc20ab1

SHA256
f19f622627488ca60615f59cd2e272e98c059dda3f08267b3afc9fa23be86d79

SHA512
54501efde95ceb6d578fd93d8b5ab2f19e6b3323325e95f98543acf81930df7feb2ec0a5d151d5a3b613d5c02ac67a36d2b0c33650947504239183997333b4aa

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9bbc84235ea05277b8d324cf5087b848

SHA1
e0189520f019c6eb126efb5bb268d764298535a9

SHA256
271614431304b660a1a58b7061d6d4669a81464e2874d01afa1fe19b533ae7cc

SHA512
7b9a62a8a4f7dd0ef2ed8be9e3b97babf3262a447fca22fafbb7c52777750eed881ee6055772c46dd4492b6147f1dc4d857342f9bfa034afeabf16eacbfd76c7

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
beb60142dede81ee8d38d5b5566ee0ee

SHA1
4895bc7fe2f39293b4dddb4fa3bdb2437f62ee51

SHA256
d0f407f8cb22f578202ac7ca22a870b075866b13d4e986709a9845ef69c56e65

SHA512
708d833c93b8e2dc7fea6bc6173457e54704a13dfb2c31d5d87feea0ca011ffe9fe5d49cb1864a1b012cfdc6eec2c4880ef643efd1daffb7b54bd95262dd5cdb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
297bf9c4a81623abc025ff04b9e1c709

SHA1
6519b4f7415daa748d638219221560f2a36c3f1c

SHA256
e26dab8eed8321d129ff50828da5461ae36ae113a8f5f77a1f6dd2132747026a

SHA512
52925170e57c3148ef5a99ddd6137a6c536491f7e4554cf9fb4912bde4b32b386717cda9e022101b702803634baddf01436858524f72125111ddf2f78612e24c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
100fa1e5a63de190de6431368ef4ac5e

SHA1
27c0c61544a3e652adb72de629b40ef38fc88c88

SHA256
f55400a60c137c0e1dcd4fd4ca167a231a3ae0468ec81182eb70f1d36e23f43c

SHA512
275e734aa70ab9d388ddee7b370d06cfd3ed3c8cf02651734c14aa7fd8cbb3d9ce4a903d04789dd856eaa24a885a2a52f2a1aeb40fd2024e6ba61d0f50a0393f

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabF5F.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\INDEX.HTML

Filesize
10KB

MD5
dbc7d409e6df0b4bed2ea85f8f4c9ce1

SHA1
3a0d3308840292bd1d9b1477c3224aba2f47666e

SHA256
dd800dfeab983ccccf36fe5d4f02ac84b7eb031ce2766a60934aa2e2ca1347d5

SHA512
ddc7b3ef183a7c7f54b2919822efef5ebbfebd8669f16e096d5b8fa355ab5e474c8680168972fb9ddf68989b9f62496abcb0bd3f08c11754138612f1eb9d4c4d

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarF72.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat

Filesize
101B

MD5
2386463e62e13b13ef150ba9a9c984e3

SHA1
438dc90d6480d4ec59a9e954cf61e26fc46d05a0

SHA256
083395c2de042c15ab102da4c64392853d81633a320700ef278248c061fbce8b

SHA512
9c45de679501bb00392775426830eef239f86e2b2961501bcda1b4b37adca4568bcadd2e26d893e5b764aa2b79c20a5351027d79804b2effa3e58fd1350262be

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat

Filesize
50B

MD5
b774ae3fb1da087e1f83b4f7b2060e5a

SHA1
97eb9be49ac3af9c851c9e1e84e32bfd53e325a8

SHA256
adaf4a84b41e410b02e261cfd0fe7739d98647eab73c3badd32ac6e39f26351b

SHA512
f75d0f95f7306d26a12b414bfe37b97fbd37546cb3c6e403def7077329ddffb4b45d5c5f0ba0e7bb6d72851d2d691b0a85267beead42f7cbf2e8c3d45a3b4701

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat

Filesize
113B

MD5
87fd72f962c6fb7880c2f0d3e7cf7ef0

SHA1
42b5164324f8cb45fa32ee420ba9d76bd34d3486

SHA256
9b9019856aa44542f09bf1e1e0eb84ac0446a69667e4bf943d20fd67516d69e0

SHA512
26d6c6537f4b9504dd5805d740c78c7a201df33a879fde035e2d74d59a2b693c25223851cf3277753c9187b5063439429a5944ac10e956ac39ffd7bd8166830e

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat

Filesize
54B

MD5
b960305e23cbfd65106f326e54e2edfd

SHA1
522c5e95a4306797b3e71bbe62158087f779ee7a

SHA256
c31911cf00619f811195612355d7c762cd7e65d7d06756f62815b029cda65855

SHA512
294181df282b6901de3e2743a6986637303f7bc63555ad171c07f6457d2895907aeae800eb7f948ac6380ba87e76423eb150792d05754aa6152c9d9921edc024

Download Submit
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe

Filesize
334KB

MD5
6987e054d3f5db6755e33c47636e5058

SHA1
7bfe09fd31d843639ce5de9119553f3e25ec64ad

SHA256
b7823d37c3aa2026e7da5ae16479bc5eb151c43640e6c577a2a10f8aadcff040

SHA512
622b02879308ab410cea9b75019947677bbd0e3f2787e1ca57845dba2c916202f3bfdec315cab21dc3c208cc8d4ea96e1c4a158ded30ad5168dda0fc13383a1f

Download Submit
memory/2712-1-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/2712-0-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/2712-42-0x0000000003FD0000-0x00000000040BA000-memory.dmp

Filesize
936KB

Download
memory/2712-45-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/2712-43-0x0000000003FD0000-0x00000000040BA000-memory.dmp

Filesize
936KB

Download
memory/2916-493-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download
memory/2916-47-0x0000000000400000-0x00000000004EA000-memory.dmp

Filesize
936KB

Download

Analysis

Sharing

General

Malware Config

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads