Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240730-en -
resource tags
arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system -
submitted
02-08-2024 03:25
Static task
static1
Behavioral task
behavioral1
Sample
82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe
Resource
win7-20240729-en
General
-
Target
82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
82dc3548b3bdb2f5ac595a7b10a686b5
-
SHA1
2fd25bcfb3440d3d9b55e20a6f272def0644fc9e
-
SHA256
a594312bae733f5b364d85bbb4116a31d5a40617b1e1487a4f1243cc6e15375d
-
SHA512
82fe8bca701a04baaf577f70aea7e0fdbf13af4ddbf1422c0a75bba06aaf0e4a9f651e0dc7752326b9a792f53c648a119156467d9b3d3c8c7f1c4d296be10f6d
-
SSDEEP
24576:pNh+giDWlMUKfb3QUi1Cqn21DEEZ6yh0u:pn+giEMr8UXsQQEJX
Malware Config
Extracted
darkcomet
Guest16
yesyoa.no-ip.biz:1337
DC_MUTEX-F54S21D
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
MlumXEwFRnE1
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000\Control Panel\International\Geo\Nation 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe -
Deletes itself 1 IoCs
Processes:
notepad.exepid process 4812 notepad.exe -
Executes dropped EXE 3 IoCs
Processes:
msdcsc.exemsdcsc.exemsdcsc.exepid process 4220 msdcsc.exe 9160 msdcsc.exe 8552 msdcsc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exemsdcsc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2077438316-259605770-1264560426-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exemsdcsc.exedescription ioc process File opened for modification \??\PhysicalDrive0 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe File opened for modification \??\PhysicalDrive0 msdcsc.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exemsdcsc.exemsdcsc.exedescription pid process target process PID 4508 set thread context of 8804 4508 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe PID 8804 set thread context of 3384 8804 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe PID 4220 set thread context of 9160 4220 msdcsc.exe msdcsc.exe PID 9160 set thread context of 8552 9160 msdcsc.exe msdcsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exenotepad.exemsdcsc.exemsdcsc.exemsdcsc.exe82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe -
Modifies registry class 1 IoCs
Processes:
82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exepid process 4508 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 4508 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 4508 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 4508 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 4508 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 4508 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 4508 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 4508 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 4508 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 4508 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 4508 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 4508 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 4508 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 4508 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 4508 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 4508 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 4508 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 4508 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 4508 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 4508 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 4508 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 4508 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 4508 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 4508 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 4508 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 4508 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 4508 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 4508 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 4508 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 4508 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 4508 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 4508 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 4508 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 4508 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 4508 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 4508 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 4508 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 4508 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 4508 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 4508 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 4508 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 4508 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 4508 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 4508 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 4508 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 4508 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 4508 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 4508 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 4508 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 4508 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 4508 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 4508 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 4508 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 4508 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 4508 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 4508 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 4508 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 4508 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 4508 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 4508 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 4508 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 4508 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 4508 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 4508 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 3384 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe Token: SeSecurityPrivilege 3384 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 3384 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe Token: SeLoadDriverPrivilege 3384 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe Token: SeSystemProfilePrivilege 3384 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe Token: SeSystemtimePrivilege 3384 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 3384 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 3384 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 3384 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe Token: SeBackupPrivilege 3384 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe Token: SeRestorePrivilege 3384 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe Token: SeShutdownPrivilege 3384 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe Token: SeDebugPrivilege 3384 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 3384 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 3384 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 3384 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe Token: SeUndockPrivilege 3384 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe Token: SeManageVolumePrivilege 3384 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe Token: SeImpersonatePrivilege 3384 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 3384 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe Token: 33 3384 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe Token: 34 3384 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe Token: 35 3384 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe Token: 36 3384 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 8552 msdcsc.exe Token: SeSecurityPrivilege 8552 msdcsc.exe Token: SeTakeOwnershipPrivilege 8552 msdcsc.exe Token: SeLoadDriverPrivilege 8552 msdcsc.exe Token: SeSystemProfilePrivilege 8552 msdcsc.exe Token: SeSystemtimePrivilege 8552 msdcsc.exe Token: SeProfSingleProcessPrivilege 8552 msdcsc.exe Token: SeIncBasePriorityPrivilege 8552 msdcsc.exe Token: SeCreatePagefilePrivilege 8552 msdcsc.exe Token: SeBackupPrivilege 8552 msdcsc.exe Token: SeRestorePrivilege 8552 msdcsc.exe Token: SeShutdownPrivilege 8552 msdcsc.exe Token: SeDebugPrivilege 8552 msdcsc.exe Token: SeSystemEnvironmentPrivilege 8552 msdcsc.exe Token: SeChangeNotifyPrivilege 8552 msdcsc.exe Token: SeRemoteShutdownPrivilege 8552 msdcsc.exe Token: SeUndockPrivilege 8552 msdcsc.exe Token: SeManageVolumePrivilege 8552 msdcsc.exe Token: SeImpersonatePrivilege 8552 msdcsc.exe Token: SeCreateGlobalPrivilege 8552 msdcsc.exe Token: 33 8552 msdcsc.exe Token: 34 8552 msdcsc.exe Token: 35 8552 msdcsc.exe Token: 36 8552 msdcsc.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exemsdcsc.exemsdcsc.exemsdcsc.exepid process 4508 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 8804 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 4220 msdcsc.exe 9160 msdcsc.exe 8552 msdcsc.exe -
Suspicious use of WriteProcessMemory 62 IoCs
Processes:
82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exemsdcsc.exemsdcsc.exedescription pid process target process PID 4508 wrote to memory of 8804 4508 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe PID 4508 wrote to memory of 8804 4508 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe PID 4508 wrote to memory of 8804 4508 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe PID 4508 wrote to memory of 8804 4508 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe PID 4508 wrote to memory of 8804 4508 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe PID 4508 wrote to memory of 8804 4508 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe PID 4508 wrote to memory of 8804 4508 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe PID 8804 wrote to memory of 3384 8804 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe PID 8804 wrote to memory of 3384 8804 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe PID 8804 wrote to memory of 3384 8804 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe PID 8804 wrote to memory of 3384 8804 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe PID 8804 wrote to memory of 3384 8804 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe PID 8804 wrote to memory of 3384 8804 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe PID 8804 wrote to memory of 3384 8804 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe PID 8804 wrote to memory of 3384 8804 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe PID 8804 wrote to memory of 3384 8804 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe PID 8804 wrote to memory of 3384 8804 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe PID 8804 wrote to memory of 3384 8804 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe PID 8804 wrote to memory of 3384 8804 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe PID 8804 wrote to memory of 3384 8804 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe PID 8804 wrote to memory of 3384 8804 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe PID 3384 wrote to memory of 4812 3384 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe notepad.exe PID 3384 wrote to memory of 4812 3384 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe notepad.exe PID 3384 wrote to memory of 4812 3384 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe notepad.exe PID 3384 wrote to memory of 4812 3384 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe notepad.exe PID 3384 wrote to memory of 4812 3384 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe notepad.exe PID 3384 wrote to memory of 4812 3384 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe notepad.exe PID 3384 wrote to memory of 4812 3384 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe notepad.exe PID 3384 wrote to memory of 4812 3384 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe notepad.exe PID 3384 wrote to memory of 4812 3384 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe notepad.exe PID 3384 wrote to memory of 4812 3384 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe notepad.exe PID 3384 wrote to memory of 4812 3384 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe notepad.exe PID 3384 wrote to memory of 4812 3384 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe notepad.exe PID 3384 wrote to memory of 4812 3384 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe notepad.exe PID 3384 wrote to memory of 4812 3384 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe notepad.exe PID 3384 wrote to memory of 4812 3384 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe notepad.exe PID 3384 wrote to memory of 4812 3384 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe notepad.exe PID 3384 wrote to memory of 4812 3384 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe notepad.exe PID 3384 wrote to memory of 4220 3384 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe msdcsc.exe PID 3384 wrote to memory of 4220 3384 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe msdcsc.exe PID 3384 wrote to memory of 4220 3384 82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe msdcsc.exe PID 4220 wrote to memory of 9160 4220 msdcsc.exe msdcsc.exe PID 4220 wrote to memory of 9160 4220 msdcsc.exe msdcsc.exe PID 4220 wrote to memory of 9160 4220 msdcsc.exe msdcsc.exe PID 4220 wrote to memory of 9160 4220 msdcsc.exe msdcsc.exe PID 4220 wrote to memory of 9160 4220 msdcsc.exe msdcsc.exe PID 4220 wrote to memory of 9160 4220 msdcsc.exe msdcsc.exe PID 4220 wrote to memory of 9160 4220 msdcsc.exe msdcsc.exe PID 9160 wrote to memory of 8552 9160 msdcsc.exe msdcsc.exe PID 9160 wrote to memory of 8552 9160 msdcsc.exe msdcsc.exe PID 9160 wrote to memory of 8552 9160 msdcsc.exe msdcsc.exe PID 9160 wrote to memory of 8552 9160 msdcsc.exe msdcsc.exe PID 9160 wrote to memory of 8552 9160 msdcsc.exe msdcsc.exe PID 9160 wrote to memory of 8552 9160 msdcsc.exe msdcsc.exe PID 9160 wrote to memory of 8552 9160 msdcsc.exe msdcsc.exe PID 9160 wrote to memory of 8552 9160 msdcsc.exe msdcsc.exe PID 9160 wrote to memory of 8552 9160 msdcsc.exe msdcsc.exe PID 9160 wrote to memory of 8552 9160 msdcsc.exe msdcsc.exe PID 9160 wrote to memory of 8552 9160 msdcsc.exe msdcsc.exe PID 9160 wrote to memory of 8552 9160 msdcsc.exe msdcsc.exe PID 9160 wrote to memory of 8552 9160 msdcsc.exe msdcsc.exe PID 9160 wrote to memory of 8552 9160 msdcsc.exe msdcsc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4508 -
C:\Users\Admin\AppData\Local\Temp\82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe2⤵
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:8804 -
C:\Users\Admin\AppData\Local\Temp\82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\82dc3548b3bdb2f5ac595a7b10a686b5_JaffaCakes118.exe3⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3384 -
C:\Windows\SysWOW64\notepad.exenotepad4⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:4812 -
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4220 -
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeC:\Users\Admin\Documents\MSDCSC\msdcsc.exe5⤵
- Executes dropped EXE
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:9160 -
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeC:\Users\Admin\Documents\MSDCSC\msdcsc.exe6⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:8552
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD582dc3548b3bdb2f5ac595a7b10a686b5
SHA12fd25bcfb3440d3d9b55e20a6f272def0644fc9e
SHA256a594312bae733f5b364d85bbb4116a31d5a40617b1e1487a4f1243cc6e15375d
SHA51282fe8bca701a04baaf577f70aea7e0fdbf13af4ddbf1422c0a75bba06aaf0e4a9f651e0dc7752326b9a792f53c648a119156467d9b3d3c8c7f1c4d296be10f6d