Analysis
-
max time kernel
150s -
max time network
118s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
02-08-2024 03:25
Static task
static1
Behavioral task
behavioral1
Sample
82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe
Resource
win7-20240729-en
General
-
Target
82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
82dc3548b3bdb2f5ac595a7b10a686b5
-
SHA1
2fd25bcfb3440d3d9b55e20a6f272def0644fc9e
-
SHA256
a594312bae733f5b364d85bbb4116a31d5a40617b1e1487a4f1243cc6e15375d
-
SHA512
82fe8bca701a04baaf577f70aea7e0fdbf13af4ddbf1422c0a75bba06aaf0e4a9f651e0dc7752326b9a792f53c648a119156467d9b3d3c8c7f1c4d296be10f6d
-
SSDEEP
24576:pNh+giDWlMUKfb3QUi1Cqn21DEEZ6yh0u:pn+giEMr8UXsQQEJX
Malware Config
Extracted
darkcomet
Guest16
yesyoa.no-ip.biz:1337
DC_MUTEX-F54S21D
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
MlumXEwFRnE1
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe -
Executes dropped EXE 3 IoCs
Processes:
msdcsc.exemsdcsc.exemsdcsc.exepid process 3380 msdcsc.exe 3684 msdcsc.exe 4040 msdcsc.exe -
Loads dropped DLL 2 IoCs
Processes:
82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exepid process 2432 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 2432 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exemsdcsc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2257386474-3982792636-3902186748-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exemsdcsc.exedescription ioc process File opened for modification \??\PhysicalDrive0 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe File opened for modification \??\PhysicalDrive0 msdcsc.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exemsdcsc.exemsdcsc.exedescription pid process target process PID 2544 set thread context of 3396 2544 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe PID 3396 set thread context of 2432 3396 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe PID 3380 set thread context of 3684 3380 msdcsc.exe msdcsc.exe PID 3684 set thread context of 4040 3684 msdcsc.exe msdcsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
msdcsc.exe82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exenotepad.exemsdcsc.exemsdcsc.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exepid process 2544 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 2544 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 2544 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 2544 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 2544 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 2544 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 2544 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 2544 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 2544 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 2544 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 2544 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 2544 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 2544 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 2544 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 2544 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 2544 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 2544 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 2544 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 2544 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 2544 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 2544 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 2544 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 2544 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 2544 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 2544 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 2544 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 2544 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 2544 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 2544 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 2544 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 2544 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 2544 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 2544 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 2544 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 2544 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 2544 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 2544 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 2544 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 2544 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 2544 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 2544 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 2544 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 2544 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 2544 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 2544 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 2544 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 2544 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 2544 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 2544 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 2544 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 2544 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 2544 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 2544 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 2544 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 2544 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 2544 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 2544 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 2544 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 2544 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 2544 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 2544 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 2544 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 2544 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 2544 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 2432 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe Token: SeSecurityPrivilege 2432 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 2432 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe Token: SeLoadDriverPrivilege 2432 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe Token: SeSystemProfilePrivilege 2432 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe Token: SeSystemtimePrivilege 2432 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 2432 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2432 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 2432 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe Token: SeBackupPrivilege 2432 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe Token: SeRestorePrivilege 2432 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe Token: SeShutdownPrivilege 2432 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe Token: SeDebugPrivilege 2432 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 2432 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 2432 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 2432 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe Token: SeUndockPrivilege 2432 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe Token: SeManageVolumePrivilege 2432 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe Token: SeImpersonatePrivilege 2432 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 2432 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe Token: 33 2432 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe Token: 34 2432 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe Token: 35 2432 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 4040 msdcsc.exe Token: SeSecurityPrivilege 4040 msdcsc.exe Token: SeTakeOwnershipPrivilege 4040 msdcsc.exe Token: SeLoadDriverPrivilege 4040 msdcsc.exe Token: SeSystemProfilePrivilege 4040 msdcsc.exe Token: SeSystemtimePrivilege 4040 msdcsc.exe Token: SeProfSingleProcessPrivilege 4040 msdcsc.exe Token: SeIncBasePriorityPrivilege 4040 msdcsc.exe Token: SeCreatePagefilePrivilege 4040 msdcsc.exe Token: SeBackupPrivilege 4040 msdcsc.exe Token: SeRestorePrivilege 4040 msdcsc.exe Token: SeShutdownPrivilege 4040 msdcsc.exe Token: SeDebugPrivilege 4040 msdcsc.exe Token: SeSystemEnvironmentPrivilege 4040 msdcsc.exe Token: SeChangeNotifyPrivilege 4040 msdcsc.exe Token: SeRemoteShutdownPrivilege 4040 msdcsc.exe Token: SeUndockPrivilege 4040 msdcsc.exe Token: SeManageVolumePrivilege 4040 msdcsc.exe Token: SeImpersonatePrivilege 4040 msdcsc.exe Token: SeCreateGlobalPrivilege 4040 msdcsc.exe Token: 33 4040 msdcsc.exe Token: 34 4040 msdcsc.exe Token: 35 4040 msdcsc.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exemsdcsc.exemsdcsc.exemsdcsc.exepid process 2544 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 3396 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 3380 msdcsc.exe 3684 msdcsc.exe 4040 msdcsc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exemsdcsc.exemsdcsc.exedescription pid process target process PID 2544 wrote to memory of 3396 2544 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe PID 2544 wrote to memory of 3396 2544 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe PID 2544 wrote to memory of 3396 2544 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe PID 2544 wrote to memory of 3396 2544 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe PID 2544 wrote to memory of 3396 2544 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe PID 2544 wrote to memory of 3396 2544 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe PID 2544 wrote to memory of 3396 2544 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe PID 2544 wrote to memory of 3396 2544 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe PID 3396 wrote to memory of 2432 3396 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe PID 3396 wrote to memory of 2432 3396 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe PID 3396 wrote to memory of 2432 3396 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe PID 3396 wrote to memory of 2432 3396 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe PID 3396 wrote to memory of 2432 3396 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe PID 3396 wrote to memory of 2432 3396 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe PID 3396 wrote to memory of 2432 3396 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe PID 3396 wrote to memory of 2432 3396 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe PID 3396 wrote to memory of 2432 3396 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe PID 3396 wrote to memory of 2432 3396 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe PID 3396 wrote to memory of 2432 3396 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe PID 3396 wrote to memory of 2432 3396 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe PID 3396 wrote to memory of 2432 3396 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe PID 2432 wrote to memory of 2036 2432 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe notepad.exe PID 2432 wrote to memory of 2036 2432 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe notepad.exe PID 2432 wrote to memory of 2036 2432 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe notepad.exe PID 2432 wrote to memory of 2036 2432 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe notepad.exe PID 2432 wrote to memory of 2036 2432 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe notepad.exe PID 2432 wrote to memory of 2036 2432 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe notepad.exe PID 2432 wrote to memory of 2036 2432 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe notepad.exe PID 2432 wrote to memory of 2036 2432 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe notepad.exe PID 2432 wrote to memory of 2036 2432 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe notepad.exe PID 2432 wrote to memory of 2036 2432 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe notepad.exe PID 2432 wrote to memory of 2036 2432 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe notepad.exe PID 2432 wrote to memory of 2036 2432 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe notepad.exe PID 2432 wrote to memory of 2036 2432 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe notepad.exe PID 2432 wrote to memory of 2036 2432 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe notepad.exe PID 2432 wrote to memory of 2036 2432 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe notepad.exe PID 2432 wrote to memory of 2036 2432 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe notepad.exe PID 2432 wrote to memory of 2036 2432 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe notepad.exe PID 2432 wrote to memory of 2036 2432 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe notepad.exe PID 2432 wrote to memory of 3380 2432 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe msdcsc.exe PID 2432 wrote to memory of 3380 2432 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe msdcsc.exe PID 2432 wrote to memory of 3380 2432 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe msdcsc.exe PID 2432 wrote to memory of 3380 2432 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe msdcsc.exe PID 3380 wrote to memory of 3684 3380 msdcsc.exe msdcsc.exe PID 3380 wrote to memory of 3684 3380 msdcsc.exe msdcsc.exe PID 3380 wrote to memory of 3684 3380 msdcsc.exe msdcsc.exe PID 3380 wrote to memory of 3684 3380 msdcsc.exe msdcsc.exe PID 3380 wrote to memory of 3684 3380 msdcsc.exe msdcsc.exe PID 3380 wrote to memory of 3684 3380 msdcsc.exe msdcsc.exe PID 3380 wrote to memory of 3684 3380 msdcsc.exe msdcsc.exe PID 3380 wrote to memory of 3684 3380 msdcsc.exe msdcsc.exe PID 3684 wrote to memory of 4040 3684 msdcsc.exe msdcsc.exe PID 3684 wrote to memory of 4040 3684 msdcsc.exe msdcsc.exe PID 3684 wrote to memory of 4040 3684 msdcsc.exe msdcsc.exe PID 3684 wrote to memory of 4040 3684 msdcsc.exe msdcsc.exe PID 3684 wrote to memory of 4040 3684 msdcsc.exe msdcsc.exe PID 3684 wrote to memory of 4040 3684 msdcsc.exe msdcsc.exe PID 3684 wrote to memory of 4040 3684 msdcsc.exe msdcsc.exe PID 3684 wrote to memory of 4040 3684 msdcsc.exe msdcsc.exe PID 3684 wrote to memory of 4040 3684 msdcsc.exe msdcsc.exe PID 3684 wrote to memory of 4040 3684 msdcsc.exe msdcsc.exe PID 3684 wrote to memory of 4040 3684 msdcsc.exe msdcsc.exe PID 3684 wrote to memory of 4040 3684 msdcsc.exe msdcsc.exe PID 3684 wrote to memory of 4040 3684 msdcsc.exe msdcsc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2544 -
C:\Users\Admin\AppData\Local\Temp\82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe2⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3396 -
C:\Users\Admin\AppData\Local\Temp\82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe3⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2432 -
C:\Windows\SysWOW64\notepad.exenotepad4⤵
- System Location Discovery: System Language Discovery
PID:2036 -
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3380 -
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeC:\Users\Admin\Documents\MSDCSC\msdcsc.exe5⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3684 -
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeC:\Users\Admin\Documents\MSDCSC\msdcsc.exe6⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4040
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD582dc3548b3bdb2f5ac595a7b10a686b5
SHA12fd25bcfb3440d3d9b55e20a6f272def0644fc9e
SHA256a594312bae733f5b364d85bbb4116a31d5a40617b1e1487a4f1243cc6e15375d
SHA51282fe8bca701a04baaf577f70aea7e0fdbf13af4ddbf1422c0a75bba06aaf0e4a9f651e0dc7752326b9a792f53c648a119156467d9b3d3c8c7f1c4d296be10f6d