darkcomet | a6d49f10562fc3a4e5110847859ec9e69a1bf8ec0e6829dbca5c95c2ef68dc1f

Analysis

max time kernel
150s
max time network
152s
platform
windows10-2004_x64
resource
win10v2004-20240709-en
resource tags

arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system
submitted
25-07-2024 15:13

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

701e418837c6325340b5b4e3cdc30803_JaffaCakes118.exe
Size

836KB
MD5

701e418837c6325340b5b4e3cdc30803
SHA1

ef21e96c4643f0c0736c6e33b25360d4e9f6674f
SHA256

a6d49f10562fc3a4e5110847859ec9e69a1bf8ec0e6829dbca5c95c2ef68dc1f
SHA512

69c5a99c0e44cd74ad4be7cc301ad348f0c99fe0cca3008daeb42c336250e4f0a2d9054ff6a1762d74276cce1c574307e035d66edc1405006b586ddd710ef3e5
SSDEEP

24576:lKUxEfCEWTh5YfB9ElFmKfydKMzX5CHwhb8mjZ:lKEEqE8hG0mKKdjMQ/

Score

10^/10

darkcomet guest16 discovery evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

darkcomet2013.no-ip.biz:1500

192.168.1.71:1500

Mutex

DC_MUTEX-YKTADE4

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
JjcA0G04gMqw
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 13 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\JjcA0G04gMqw\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	hstj.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\JjcA0G04gMqw\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\JjcA0G04gMqw\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\JjcA0G04gMqw\\msdcsc.exe"	msdcsc.exe

Modifies security service 2 TTPs 1 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	msdcsc.exe

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe

Disables RegEdit via registry modification 1 IoCs

evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	msdcsc.exe

Disables Task Manager via registry modification
evasion

Sets file to hidden 1 TTPs 26 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
4612	attrib.exe
432	attrib.exe
4332	attrib.exe
3352	attrib.exe
4580	attrib.exe
1332	attrib.exe
1332	attrib.exe
768	attrib.exe
2892	attrib.exe
1160	attrib.exe
3356	attrib.exe
4332	attrib.exe
3392	attrib.exe
3056	attrib.exe
1924	attrib.exe
1704	attrib.exe
3228	attrib.exe
2656	attrib.exe
4192	attrib.exe
2504	attrib.exe
4768	attrib.exe
3668	attrib.exe
2364	attrib.exe
4868	attrib.exe
2892	attrib.exe
3936	attrib.exe

Checks computer location settings 2 TTPs 14 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	701e418837c6325340b5b4e3cdc30803_JaffaCakes118.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	hstj.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\Control Panel\International\Geo\Nation	msdcsc.exe

Executes dropped EXE 27 IoCs

pid	Process
4984	hstj.exe
868	Hack Steam V1.0 By Drikershack.exe
2404	hstj.exe
3516	msdcsc.exe
1692	msdcsc.exe
432	msdcsc.exe
4472	msdcsc.exe
3804	msdcsc.exe
3312	msdcsc.exe
4384	msdcsc.exe
1632	msdcsc.exe
2956	msdcsc.exe
1888	msdcsc.exe
4428	msdcsc.exe
4520	msdcsc.exe
4336	msdcsc.exe
3744	msdcsc.exe
2956	msdcsc.exe
2496	msdcsc.exe
5108	msdcsc.exe
5000	msdcsc.exe
736	msdcsc.exe
1716	msdcsc.exe
1148	msdcsc.exe
5108	msdcsc.exe
768	msdcsc.exe
1140	msdcsc.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe

Adds Run key to start application 2 TTPs 13 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\JjcA0G04gMqw\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\JjcA0G04gMqw\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	hstj.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\JjcA0G04gMqw\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\JjcA0G04gMqw\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2990742725-2267136959-192470804-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\JjcA0G04gMqw\\msdcsc.exe"	msdcsc.exe

Drops file in System32 directory 64 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe	attrib.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	hstj.exe
File created	C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	hstj.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	hstj.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw	attrib.exe
File created	C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe	msdcsc.exe

Suspicious use of SetThreadContext 13 IoCs

description	pid	Process	procid_target
PID 4984 set thread context of 2404	4984	hstj.exe	87
PID 3516 set thread context of 1692	3516	msdcsc.exe	105
PID 432 set thread context of 4472	432	msdcsc.exe	114
PID 3804 set thread context of 3312	3804	msdcsc.exe	123
PID 4384 set thread context of 1632	4384	msdcsc.exe	133
PID 2956 set thread context of 1888	2956	msdcsc.exe	144
PID 4428 set thread context of 4520	4428	msdcsc.exe	153
PID 4336 set thread context of 3744	4336	msdcsc.exe	162
PID 2956 set thread context of 2496	2956	msdcsc.exe	171
PID 5108 set thread context of 5000	5108	msdcsc.exe	180
PID 736 set thread context of 1716	736	msdcsc.exe	190
PID 1148 set thread context of 5108	1148	msdcsc.exe	199
PID 768 set thread context of 1140	768	msdcsc.exe	208

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 64 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hstj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	hstj.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Hack Steam V1.0 By Drikershack.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe

Modifies registry class 12 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	hstj.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	msdcsc.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2404	hstj.exe
Token: SeSecurityPrivilege	2404	hstj.exe
Token: SeTakeOwnershipPrivilege	2404	hstj.exe
Token: SeLoadDriverPrivilege	2404	hstj.exe
Token: SeSystemProfilePrivilege	2404	hstj.exe
Token: SeSystemtimePrivilege	2404	hstj.exe
Token: SeProfSingleProcessPrivilege	2404	hstj.exe
Token: SeIncBasePriorityPrivilege	2404	hstj.exe
Token: SeCreatePagefilePrivilege	2404	hstj.exe
Token: SeBackupPrivilege	2404	hstj.exe
Token: SeRestorePrivilege	2404	hstj.exe
Token: SeShutdownPrivilege	2404	hstj.exe
Token: SeDebugPrivilege	2404	hstj.exe
Token: SeSystemEnvironmentPrivilege	2404	hstj.exe
Token: SeChangeNotifyPrivilege	2404	hstj.exe
Token: SeRemoteShutdownPrivilege	2404	hstj.exe
Token: SeUndockPrivilege	2404	hstj.exe
Token: SeManageVolumePrivilege	2404	hstj.exe
Token: SeImpersonatePrivilege	2404	hstj.exe
Token: SeCreateGlobalPrivilege	2404	hstj.exe
Token: 33	2404	hstj.exe
Token: 34	2404	hstj.exe
Token: 35	2404	hstj.exe
Token: 36	2404	hstj.exe
Token: SeIncreaseQuotaPrivilege	1692	msdcsc.exe
Token: SeSecurityPrivilege	1692	msdcsc.exe
Token: SeTakeOwnershipPrivilege	1692	msdcsc.exe
Token: SeLoadDriverPrivilege	1692	msdcsc.exe
Token: SeSystemProfilePrivilege	1692	msdcsc.exe
Token: SeSystemtimePrivilege	1692	msdcsc.exe
Token: SeProfSingleProcessPrivilege	1692	msdcsc.exe
Token: SeIncBasePriorityPrivilege	1692	msdcsc.exe
Token: SeCreatePagefilePrivilege	1692	msdcsc.exe
Token: SeBackupPrivilege	1692	msdcsc.exe
Token: SeRestorePrivilege	1692	msdcsc.exe
Token: SeShutdownPrivilege	1692	msdcsc.exe
Token: SeDebugPrivilege	1692	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	1692	msdcsc.exe
Token: SeChangeNotifyPrivilege	1692	msdcsc.exe
Token: SeRemoteShutdownPrivilege	1692	msdcsc.exe
Token: SeUndockPrivilege	1692	msdcsc.exe
Token: SeManageVolumePrivilege	1692	msdcsc.exe
Token: SeImpersonatePrivilege	1692	msdcsc.exe
Token: SeCreateGlobalPrivilege	1692	msdcsc.exe
Token: 33	1692	msdcsc.exe
Token: 34	1692	msdcsc.exe
Token: 35	1692	msdcsc.exe
Token: 36	1692	msdcsc.exe
Token: SeIncreaseQuotaPrivilege	4472	msdcsc.exe
Token: SeSecurityPrivilege	4472	msdcsc.exe
Token: SeTakeOwnershipPrivilege	4472	msdcsc.exe
Token: SeLoadDriverPrivilege	4472	msdcsc.exe
Token: SeSystemProfilePrivilege	4472	msdcsc.exe
Token: SeSystemtimePrivilege	4472	msdcsc.exe
Token: SeProfSingleProcessPrivilege	4472	msdcsc.exe
Token: SeIncBasePriorityPrivilege	4472	msdcsc.exe
Token: SeCreatePagefilePrivilege	4472	msdcsc.exe
Token: SeBackupPrivilege	4472	msdcsc.exe
Token: SeRestorePrivilege	4472	msdcsc.exe
Token: SeShutdownPrivilege	4472	msdcsc.exe
Token: SeDebugPrivilege	4472	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	4472	msdcsc.exe
Token: SeChangeNotifyPrivilege	4472	msdcsc.exe
Token: SeRemoteShutdownPrivilege	4472	msdcsc.exe

Suspicious use of SetWindowsHookEx 14 IoCs

pid	Process
4984	hstj.exe
3516	msdcsc.exe
432	msdcsc.exe
3804	msdcsc.exe
4384	msdcsc.exe
2956	msdcsc.exe
4428	msdcsc.exe
4336	msdcsc.exe
2956	msdcsc.exe
5108	msdcsc.exe
736	msdcsc.exe
1148	msdcsc.exe
768	msdcsc.exe
1140	msdcsc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 32 wrote to memory of 4984	32	701e418837c6325340b5b4e3cdc30803_JaffaCakes118.exe	84
PID 32 wrote to memory of 4984	32	701e418837c6325340b5b4e3cdc30803_JaffaCakes118.exe	84
PID 32 wrote to memory of 4984	32	701e418837c6325340b5b4e3cdc30803_JaffaCakes118.exe	84
PID 32 wrote to memory of 868	32	701e418837c6325340b5b4e3cdc30803_JaffaCakes118.exe	85
PID 32 wrote to memory of 868	32	701e418837c6325340b5b4e3cdc30803_JaffaCakes118.exe	85
PID 32 wrote to memory of 868	32	701e418837c6325340b5b4e3cdc30803_JaffaCakes118.exe	85
PID 4984 wrote to memory of 2404	4984	hstj.exe	87
PID 4984 wrote to memory of 2404	4984	hstj.exe	87
PID 4984 wrote to memory of 2404	4984	hstj.exe	87
PID 4984 wrote to memory of 2404	4984	hstj.exe	87
PID 4984 wrote to memory of 2404	4984	hstj.exe	87
PID 4984 wrote to memory of 2404	4984	hstj.exe	87
PID 4984 wrote to memory of 2404	4984	hstj.exe	87
PID 4984 wrote to memory of 2404	4984	hstj.exe	87
PID 4984 wrote to memory of 2404	4984	hstj.exe	87
PID 4984 wrote to memory of 2404	4984	hstj.exe	87
PID 4984 wrote to memory of 2404	4984	hstj.exe	87
PID 4984 wrote to memory of 2404	4984	hstj.exe	87
PID 4984 wrote to memory of 2404	4984	hstj.exe	87
PID 4984 wrote to memory of 2404	4984	hstj.exe	87
PID 2404 wrote to memory of 4324	2404	hstj.exe	97
PID 2404 wrote to memory of 4324	2404	hstj.exe	97
PID 2404 wrote to memory of 4324	2404	hstj.exe	97
PID 2404 wrote to memory of 1980	2404	hstj.exe	99
PID 2404 wrote to memory of 1980	2404	hstj.exe	99
PID 2404 wrote to memory of 1980	2404	hstj.exe	99
PID 2404 wrote to memory of 1716	2404	hstj.exe	100
PID 2404 wrote to memory of 1716	2404	hstj.exe	100
PID 2404 wrote to memory of 1716	2404	hstj.exe	100
PID 2404 wrote to memory of 1716	2404	hstj.exe	100
PID 2404 wrote to memory of 1716	2404	hstj.exe	100
PID 2404 wrote to memory of 1716	2404	hstj.exe	100
PID 2404 wrote to memory of 1716	2404	hstj.exe	100
PID 2404 wrote to memory of 1716	2404	hstj.exe	100
PID 2404 wrote to memory of 1716	2404	hstj.exe	100
PID 2404 wrote to memory of 1716	2404	hstj.exe	100
PID 2404 wrote to memory of 1716	2404	hstj.exe	100
PID 2404 wrote to memory of 1716	2404	hstj.exe	100
PID 2404 wrote to memory of 1716	2404	hstj.exe	100
PID 2404 wrote to memory of 1716	2404	hstj.exe	100
PID 2404 wrote to memory of 1716	2404	hstj.exe	100
PID 2404 wrote to memory of 1716	2404	hstj.exe	100
PID 2404 wrote to memory of 1716	2404	hstj.exe	100
PID 4324 wrote to memory of 4192	4324	cmd.exe	102
PID 4324 wrote to memory of 4192	4324	cmd.exe	102
PID 4324 wrote to memory of 4192	4324	cmd.exe	102
PID 1980 wrote to memory of 1704	1980	cmd.exe	103
PID 1980 wrote to memory of 1704	1980	cmd.exe	103
PID 1980 wrote to memory of 1704	1980	cmd.exe	103
PID 2404 wrote to memory of 3516	2404	hstj.exe	104
PID 2404 wrote to memory of 3516	2404	hstj.exe	104
PID 2404 wrote to memory of 3516	2404	hstj.exe	104
PID 3516 wrote to memory of 1692	3516	msdcsc.exe	105
PID 3516 wrote to memory of 1692	3516	msdcsc.exe	105
PID 3516 wrote to memory of 1692	3516	msdcsc.exe	105
PID 3516 wrote to memory of 1692	3516	msdcsc.exe	105
PID 3516 wrote to memory of 1692	3516	msdcsc.exe	105
PID 3516 wrote to memory of 1692	3516	msdcsc.exe	105
PID 3516 wrote to memory of 1692	3516	msdcsc.exe	105
PID 3516 wrote to memory of 1692	3516	msdcsc.exe	105
PID 3516 wrote to memory of 1692	3516	msdcsc.exe	105
PID 3516 wrote to memory of 1692	3516	msdcsc.exe	105
PID 3516 wrote to memory of 1692	3516	msdcsc.exe	105
PID 3516 wrote to memory of 1692	3516	msdcsc.exe	105

System policy modification 1 TTPs 3 IoCs

evasion

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion	msdcsc.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1"	msdcsc.exe

Views/modifies file attributes 1 TTPs 26 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
4768	attrib.exe
4580	attrib.exe
3392	attrib.exe
1332	attrib.exe
4332	attrib.exe
2364	attrib.exe
3056	attrib.exe
3936	attrib.exe
2892	attrib.exe
3356	attrib.exe
3228	attrib.exe
2656	attrib.exe
1924	attrib.exe
3352	attrib.exe
4332	attrib.exe
1332	attrib.exe
2504	attrib.exe
4612	attrib.exe
4192	attrib.exe
1704	attrib.exe
4868	attrib.exe
1160	attrib.exe
768	attrib.exe
3668	attrib.exe
2892	attrib.exe
432	attrib.exe

C:\Users\Admin\AppData\Local\Temp\701e418837c6325340b5b4e3cdc30803_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\701e418837c6325340b5b4e3cdc30803_JaffaCakes118.exe"
1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:32
- C:\Users\Admin\AppData\Local\Temp\hstj.exe
  "C:\Users\Admin\AppData\Local\Temp\hstj.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4984
- - C:\Users\Admin\AppData\Local\Temp\hstj.exe
    C:\Users\Admin\AppData\Local\Temp\hstj.exe
    3⤵
    - Modifies WinLogon for persistence
    - Checks computer location settings
    - Executes dropped EXE
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:2404
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\hstj.exe" +s +h
      4⤵
      Suspicious use of WriteProcessMemory
      PID:4324
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Users\Admin\AppData\Local\Temp\hstj.exe" +s +h
        5⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:4192
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:1980
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
        5⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:1704
  - - C:\Windows\SysWOW64\notepad.exe
      notepad
      4⤵
      System Location Discovery: System Language Discovery
      PID:1716
  - - C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
      "C:\Windows\system32\MSDCSC\msdcsc.exe"
      4⤵
      Executes dropped EXE
      Drops file in System32 directory
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:3516
    - - C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        5⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:1692
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4264
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
        7⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:2892
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
        6⤵
        
        PID:3648
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
        7⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:3668
      - C:\Windows\SysWOW64\notepad.exe
        
        notepad
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1164
      - C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\JjcA0G04gMqw\msdcsc.exe"
        6⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:432
        
        C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe
        
        C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe
        7⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        Suspicious use of AdjustPrivilegeToken
        
        PID:4472
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe" +s +h
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:1340
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe" +s +h
        9⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:2364
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw" +s +h
        8⤵
        System Location Discovery: System Language Discovery
        
        PID:3096
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw" +s +h
        9⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:2504
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        8⤵
        
        PID:2520
        
        C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe"
        8⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:3804
        
        C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe
        
        C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe
        9⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3312
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe" +s +h
        10⤵
        
        PID:3052
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe" +s +h
        11⤵
        Sets file to hidden
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:4768
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw" +s +h
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:5092
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw" +s +h
        11⤵
        Sets file to hidden
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:4868
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        10⤵
        System Location Discovery: System Language Discovery
        
        PID:2212
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\msdcsc.exe"
        10⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4384
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        11⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:1632
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
        12⤵
        
        PID:632
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
        13⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:4580
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:2760
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
        13⤵
        Sets file to hidden
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:2892
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        12⤵
        System Location Discovery: System Language Discovery
        
        PID:4860
        
        C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\JjcA0G04gMqw\msdcsc.exe"
        12⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2956
        
        C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe
        
        C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe
        13⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:1888
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe" +s +h
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:4300
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe" +s +h
        15⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:1160
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw" +s +h
        14⤵
        
        PID:3456
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw" +s +h
        15⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:3356
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        14⤵
        System Location Discovery: System Language Discovery
        
        PID:3212
        
        C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe"
        14⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4428
        
        C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe
        
        C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe
        15⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:4520
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe" +s +h
        16⤵
        
        PID:32
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe" +s +h
        17⤵
        Sets file to hidden
        Views/modifies file attributes
        
        PID:3228
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw" +s +h
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:4580
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw" +s +h
        17⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:3392
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        16⤵
        System Location Discovery: System Language Discovery
        
        PID:4852
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\msdcsc.exe"
        16⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        Suspicious use of SetWindowsHookEx
        
        PID:4336
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        17⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:3744
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:4360
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
        19⤵
        Sets file to hidden
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:432
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
        18⤵
        
        PID:4692
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
        19⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:1332
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        18⤵
        System Location Discovery: System Language Discovery
        
        PID:3584
        
        C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\JjcA0G04gMqw\msdcsc.exe"
        18⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2956
        
        C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe
        
        C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe
        19⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:2496
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe" +s +h
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:2892
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe" +s +h
        21⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw" +s +h
        20⤵
        
        PID:3756
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw" +s +h
        21⤵
        Sets file to hidden
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:3056
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        20⤵
        System Location Discovery: System Language Discovery
        
        PID:3928
        
        C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe"
        20⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:5108
        
        C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe
        
        C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe
        21⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5000
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe" +s +h
        22⤵
        
        PID:4408
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe" +s +h
        23⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:4332
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw" +s +h
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:4364
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw" +s +h
        23⤵
        Sets file to hidden
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:1332
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        22⤵
        System Location Discovery: System Language Discovery
        
        PID:4128
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\msdcsc.exe"
        22⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:736
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        
        C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        23⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        Modifies registry class
        
        PID:1716
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
        24⤵
        
        PID:1736
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\msdcsc.exe" +s +h
        25⤵
        Sets file to hidden
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:768
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
        24⤵
        
        PID:4736
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
        25⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:2656
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        24⤵
        System Location Discovery: System Language Discovery
        
        PID:3788
        
        C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\JjcA0G04gMqw\msdcsc.exe"
        24⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1148
        
        C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe
        
        C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe
        25⤵
        Modifies WinLogon for persistence
        Checks computer location settings
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Modifies registry class
        
        PID:5108
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe" +s +h
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:1688
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\msdcsc.exe" +s +h
        27⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:4612
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw" +s +h
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:4388
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw" +s +h
        27⤵
        Sets file to hidden
        Drops file in System32 directory
        Views/modifies file attributes
        
        PID:1924
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        26⤵
        System Location Discovery: System Language Discovery
        
        PID:4632
        
        C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe"
        26⤵
        Executes dropped EXE
        Drops file in System32 directory
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:768
        
        C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe
        
        C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe
        27⤵
        Modifies WinLogon for persistence
        Modifies security service
        Windows security bypass
        Disables RegEdit via registry modification
        Checks computer location settings
        Executes dropped EXE
        Windows security modification
        Adds Run key to start application
        Drops file in System32 directory
        Suspicious use of SetWindowsHookEx
        System policy modification
        
        PID:1140
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe" +s +h
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:736
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw\msdcsc.exe" +s +h
        29⤵
        Sets file to hidden
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:3936
        
        C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw" +s +h
        28⤵
        System Location Discovery: System Language Discovery
        
        PID:2996
        
        C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC\JjcA0G04gMqw\JjcA0G04gMqw" +s +h
        29⤵
        Sets file to hidden
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:3352
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        28⤵
        
        PID:3620
- C:\Users\Admin\AppData\Local\Temp\Hack Steam V1.0 By Drikershack.exe
  "C:\Users\Admin\AppData\Local\Temp\Hack Steam V1.0 By Drikershack.exe"
  2⤵
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  PID:868

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\Hack Steam V1.0 By Drikershack.exe

Filesize
78KB

MD5
c8083b3690812fd277fb980f46d68b16

SHA1
7fa7426988fe56396e089b2b0d9b50f8e3159436

SHA256
57e1e5f734ea8d0d1aebf39a6aeb8a26ccba872dd47bb282fe439987efe10aed

SHA512
f402bd9aee318c32d2f8e74fc937e88116d96bb1619910020bac28ac1b05f00a1825f34d544ad4debb23e7c0cce1a214c1ba72d56808eb51a5d1933a6a8b3ef6

Download Submit
C:\Users\Admin\AppData\Local\Temp\hstj.exe

Filesize
725KB

MD5
7bbe2da9d59af22de8ef4ae7a9c4d94d

SHA1
d699be178976118eb2ebb193144ce173031cdf2b

SHA256
db940a7ef59596660c87b4bc91e0cbd4cd46e7853dca836348bf046b68fde50a

SHA512
4415847ac260501d9d0ef447a6e4e74489c8ae53e9fd8ae4d01cf97adb733ec6dccb02bdd344d6713b7d7ac367e4045ba97121c02c92d582d172c9d0417e620a

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2990742725-2267136959-192470804-1000\699c4b9cdebca7aaea5193cae8a50098_788ae237-ee4c-4efc-8ed7-d59fbc591025

Filesize
50B

MD5
5b63d4dd8c04c88c0e30e494ec6a609a

SHA1
884d5a8bdc25fe794dc22ef9518009dcf0069d09

SHA256
4d93c22555b3169e5c13716ca59b8b22892c69b3025aea841afe5259698102fd

SHA512
15ff8551ac6b9de978050569bcdc26f44dfc06a0eaf445ac70fd45453a21bdafa3e4c8b4857d6a1c3226f4102a639682bdfb71d7b255062fb81a51c9126896cb

Download Submit
memory/32-1-0x0000000000050000-0x0000000000060000-memory.dmp

Filesize
64KB

Download
memory/32-2-0x00007FF9D9C80000-0x00007FF9DA741000-memory.dmp

Filesize
10.8MB

Download
memory/32-0-0x00007FF9D9C83000-0x00007FF9D9C85000-memory.dmp

Filesize
8KB

Download
memory/32-40-0x00007FF9D9C80000-0x00007FF9DA741000-memory.dmp

Filesize
10.8MB

Download
memory/432-190-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/432-182-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/736-769-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/768-913-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/868-36-0x0000000000620000-0x000000000063C000-memory.dmp

Filesize
112KB

Download
memory/868-39-0x0000000004EF0000-0x0000000004F8C000-memory.dmp

Filesize
624KB

Download
memory/868-194-0x0000000074D9E000-0x0000000074D9F000-memory.dmp

Filesize
4KB

Download
memory/868-42-0x0000000005540000-0x0000000005AE4000-memory.dmp

Filesize
5.6MB

Download
memory/868-31-0x0000000074D9E000-0x0000000074D9F000-memory.dmp

Filesize
4KB

Download
memory/868-43-0x0000000005030000-0x00000000050C2000-memory.dmp

Filesize
584KB

Download
memory/868-44-0x0000000004F90000-0x0000000004F9A000-memory.dmp

Filesize
40KB

Download
memory/868-45-0x00000000051C0000-0x0000000005216000-memory.dmp

Filesize
344KB

Download
memory/1148-842-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/1632-399-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1692-116-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1692-183-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/1716-50-0x0000000000650000-0x0000000000651000-memory.dmp

Filesize
4KB

Download
memory/1888-472-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2404-109-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2404-32-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2404-48-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2404-34-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2404-35-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2404-41-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2496-688-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/2956-617-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2956-409-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2956-625-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3312-327-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/3516-118-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3744-615-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/3804-265-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/3804-257-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4336-553-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4384-337-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4428-481-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4472-255-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/4520-543-0x0000000000400000-0x00000000004BD000-memory.dmp

Filesize
756KB

Download
memory/4984-38-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/4984-27-0x00000000001C0000-0x00000000001C3000-memory.dmp

Filesize
12KB

Download
memory/4984-21-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/5108-698-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads