Analysis Overview
SHA256
3f48a0ac6fd7487e22566c17ca1eda2bc9bede54adb53cc12bcd6a6afd23cc71
Threat Level: Known bad
The file 8857b84e74bd78ad49f04f6f8d0ce65a_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Darkcomet
Event Triggered Execution: Image File Execution Options Injection
Drops file in Drivers directory
Executes dropped EXE
Checks computer location settings
UPX packed file
Adds Run key to start application
AutoIT Executable
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Suspicious use of WriteProcessMemory
Suspicious use of FindShellTrayWindow
Suspicious use of SendNotifyMessage
Suspicious use of SetWindowsHookEx
Suspicious use of AdjustPrivilegeToken
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-08-11 00:47
Signatures
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Analysis: behavioral2
Detonation Overview
Submitted
2024-08-11 00:47
Reported
2024-08-11 00:50
Platform
win10v2004-20240802-en
Max time kernel
141s
Max time network
131s
Command Line
Signatures
Darkcomet
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\Cheat Counter Strike.exe | N/A |
Event Triggered Execution: Image File Execution Options Injection
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TFService.exe | C:\Windows\A new game and fun.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcsysmon.exe | C:\Windows\A new game and fun.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SavService.exe\Debugger = "C:\\Windows\\MugeWara.exe" | C:\Windows\A new game and fun.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcNASvc.exe\Debugger = "C:\\Windows\\MugeWara.exe" | C:\Windows\A new game and fun.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ALsvc.exe | C:\Windows\A new game and fun.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgam.exe\Debugger = "C:\\Windows\\MugeWara.exe" | C:\Windows\A new game and fun.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe | C:\Windows\A new game and fun.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avmailc.exe | C:\Windows\A new game and fun.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmdagent.exe\Debugger = "C:\\Windows\\MugeWara.exe" | C:\Windows\A new game and fun.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SavService.exe | C:\Windows\A new game and fun.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe | C:\Windows\A new game and fun.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe\Debugger = "C:\\Windows\\MugeWara.exe" | C:\Windows\A new game and fun.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe | C:\Windows\A new game and fun.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\acs.exe\Debugger = "C:\\Windows\\MugeWara.exe" | C:\Windows\A new game and fun.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avastUI.exe | C:\Windows\A new game and fun.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardxkickoff.exe\Debugger = "C:\\Windows\\MugeWara.exe" | C:\Windows\A new game and fun.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32gui.exe | C:\Windows\A new game and fun.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgfws8.exe | C:\Windows\A new game and fun.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avwebgrd.exe | C:\Windows\A new game and fun.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\op_mon.exe | C:\Windows\A new game and fun.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TFService.exe\Debugger = "C:\\Windows\\MugeWara.exe" | C:\Windows\A new game and fun.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sched.exe\Debugger = "C:\\Windows\\MugeWara.exe" | C:\Windows\A new game and fun.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avmailc.exe\Debugger = "C:\\Windows\\MugeWara.exe" | C:\Windows\A new game and fun.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regedit.exe | C:\Windows\A new game and fun.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\afwServ.exe\Debugger = "C:\\Windows\\MugeWara.exe" | C:\Windows\A new game and fun.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\acs.exe | C:\Windows\A new game and fun.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe\Debugger = "C:\\Windows\\MugeWara.exe" | C:\Windows\A new game and fun.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32gui.exe\Debugger = "C:\\Windows\\MugeWara.exe" | C:\Windows\A new game and fun.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmdagent.exe | C:\Windows\A new game and fun.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\afwServ.exe | C:\Windows\A new game and fun.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TFTray.exe\Debugger = "C:\\Windows\\MugeWara.exe" | C:\Windows\A new game and fun.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcagent.exe\Debugger = "C:\\Windows\\MugeWara.exe" | C:\Windows\A new game and fun.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcproxy.exe\Debugger = "C:\\Windows\\MugeWara.exe" | C:\Windows\A new game and fun.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a2service.exe\Debugger = "C:\\Windows\\MugeWara.exe" | C:\Windows\A new game and fun.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgfws8.exe\Debugger = "C:\\Windows\\MugeWara.exe" | C:\Windows\A new game and fun.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnsx.exe\Debugger = "C:\\Windows\\MugeWara.exe" | C:\Windows\A new game and fun.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcshield.exe | C:\Windows\A new game and fun.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mpfsrv.exe | C:\Windows\A new game and fun.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe | C:\Windows\A new game and fun.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe | C:\Windows\A new game and fun.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe\Debugger = "C:\\Windows\\MugeWara.exe" | C:\Windows\A new game and fun.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avastUI.exe\Debugger = "C:\\Windows\\MugeWara.exe" | C:\Windows\A new game and fun.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastSvc.exe | C:\Windows\A new game and fun.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe\Debugger = "C:\\Windows\\MugeWara.exe" | C:\Windows\A new game and fun.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgam.exe | C:\Windows\A new game and fun.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe | C:\Windows\A new game and fun.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msksrver.exe | C:\Windows\A new game and fun.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msksrver.exe\Debugger = "C:\\Windows\\MugeWara.exe" | C:\Windows\A new game and fun.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe | C:\Windows\A new game and fun.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regedit.exe\Debugger = "C:\\Windows\\MugeWara.exe" | C:\Windows\A new game and fun.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgtray.exe\Debugger = "C:\\Windows\\MugeWara.exe" | C:\Windows\A new game and fun.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcNASvc.exe | C:\Windows\A new game and fun.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcmsesvc.exe | C:\Windows\A new game and fun.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcsysmon.exe\Debugger = "C:\\Windows\\MugeWara.exe" | C:\Windows\A new game and fun.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avwebgrd.exe\Debugger = "C:\\Windows\\MugeWara.exe" | C:\Windows\A new game and fun.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardxkickoff.exe | C:\Windows\A new game and fun.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfp.exe | C:\Windows\A new game and fun.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfp.exe\Debugger = "C:\\Windows\\MugeWara.exe" | C:\Windows\A new game and fun.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\op_mon.exe\Debugger = "C:\\Windows\\MugeWara.exe" | C:\Windows\A new game and fun.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgtray.exe | C:\Windows\A new game and fun.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgwdsvc.exe | C:\Windows\A new game and fun.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ALMon.exe | C:\Windows\A new game and fun.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe\Debugger = "C:\\Windows\\MugeWara.exe" | C:\Windows\A new game and fun.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sched.exe | C:\Windows\A new game and fun.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\8857b84e74bd78ad49f04f6f8d0ce65a_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Cheat Counter Strike.exe | N/A |
| N/A | N/A | C:\Windows\sara_sexy.exe | N/A |
| N/A | N/A | C:\Windows\A new game and fun.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MugeWara = "C:\\Windows\\MugeWara.exe" | C:\Windows\A new game and fun.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\MugeWara.exe | C:\Windows\A new game and fun.exe | N/A |
| File opened for modification | C:\Windows\sara_sexy.exe | C:\Users\Admin\AppData\Local\Temp\8857b84e74bd78ad49f04f6f8d0ce65a_JaffaCakes118.exe | N/A |
| File created | C:\Windows\9.ico | C:\Windows\sara_sexy.exe | N/A |
| File opened for modification | C:\Windows\9.ico | C:\Windows\sara_sexy.exe | N/A |
| File opened for modification | C:\Windows\A new game and fun.exe | C:\Windows\sara_sexy.exe | N/A |
| File created | C:\Windows\Cheat Counter Strike.exe | C:\Users\Admin\AppData\Local\Temp\8857b84e74bd78ad49f04f6f8d0ce65a_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\Cheat Counter Strike.exe | C:\Users\Admin\AppData\Local\Temp\8857b84e74bd78ad49f04f6f8d0ce65a_JaffaCakes118.exe | N/A |
| File created | C:\Windows\sara_sexy.exe | C:\Users\Admin\AppData\Local\Temp\8857b84e74bd78ad49f04f6f8d0ce65a_JaffaCakes118.exe | N/A |
| File created | C:\Windows\A new game and fun.exe | C:\Windows\sara_sexy.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8857b84e74bd78ad49f04f6f8d0ce65a_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Cheat Counter Strike.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\sara_sexy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\A new game and fun.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\Cheat Counter Strike.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\Cheat Counter Strike.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\Cheat Counter Strike.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\Cheat Counter Strike.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\Cheat Counter Strike.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\Cheat Counter Strike.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\Cheat Counter Strike.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\Cheat Counter Strike.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Cheat Counter Strike.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\Cheat Counter Strike.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\Cheat Counter Strike.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Cheat Counter Strike.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Cheat Counter Strike.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\Cheat Counter Strike.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\Cheat Counter Strike.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\Cheat Counter Strike.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\Cheat Counter Strike.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\Cheat Counter Strike.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\Cheat Counter Strike.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\Cheat Counter Strike.exe | N/A |
| Token: 33 | N/A | C:\Windows\Cheat Counter Strike.exe | N/A |
| Token: 34 | N/A | C:\Windows\Cheat Counter Strike.exe | N/A |
| Token: 35 | N/A | C:\Windows\Cheat Counter Strike.exe | N/A |
| Token: 36 | N/A | C:\Windows\Cheat Counter Strike.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\A new game and fun.exe | N/A |
| N/A | N/A | C:\Windows\A new game and fun.exe | N/A |
| N/A | N/A | C:\Windows\A new game and fun.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\A new game and fun.exe | N/A |
| N/A | N/A | C:\Windows\A new game and fun.exe | N/A |
| N/A | N/A | C:\Windows\A new game and fun.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Cheat Counter Strike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8857b84e74bd78ad49f04f6f8d0ce65a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8857b84e74bd78ad49f04f6f8d0ce65a_JaffaCakes118.exe"
C:\Windows\Cheat Counter Strike.exe
"C:\Windows\Cheat Counter Strike.exe"
C:\Windows\sara_sexy.exe
C:\Windows/sara_sexy.exe
C:\Windows\A new game and fun.exe
"C:\Windows/A new game and fun.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 4.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 28.118.140.52.in-addr.arpa | udp |
| N/A | 192.168.1.2:1604 | tcp | |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 157.123.68.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 198.187.3.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 55.36.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 48.229.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
Files
memory/1428-0-0x0000000000400000-0x0000000000516000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\aut978E.tmp
| MD5 | 62cfa21a792fa76bcd8ce108afdf4517 |
| SHA1 | f04702cd7c91085c840b95b2de4a6726cf13a838 |
| SHA256 | 6febf4f5937805e186cbddd3e257719546f40c7b4b08052640c9c6927b66c490 |
| SHA512 | 2a755a1ad3fe122b97c1c77b4f87ba1164ea752f3a2fda997566cdde9ed185c23668f937113013eeba8818fb015f145d951f793ab15b027ede6b72ff3769d1cc |
C:\Windows\Cheat Counter Strike.exe
| MD5 | c0d1481589ba69abe6edde2c297ee5a2 |
| SHA1 | 55c0da236cd39bcf9935d25a15c0c35ab257cfc6 |
| SHA256 | cb1e144bca11f74425a9b52afaa443f07fca623e2a3834c142cf66c507386254 |
| SHA512 | 52b6ab4a235bbcc5477654e63066bf13b26e1209bf4c20a170179cf275fe42a7a5d79bb373f74151c465ad7b091d4c9ca2c86b67147ab2e8910867c1974b6349 |
memory/1428-28-0x0000000000400000-0x0000000000516000-memory.dmp
memory/1128-29-0x00000000006A0000-0x00000000006A1000-memory.dmp
memory/1328-27-0x0000000000400000-0x00000000004B8000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\aut9A8B.tmp
| MD5 | c454ff16ee361aa3437cbd3652bb4c89 |
| SHA1 | aa18bc928ccca208f089d0527bc5fa05040e2cbe |
| SHA256 | b8e204574f58ece85b3546e30a20610eab2a3ab8d2f8102099bab2e6e19acbc7 |
| SHA512 | e14b021ee5dfe7707f69ed6892482cd4e70414d531f8c725a6004073d9d05114ecebe6725cf5092e09a4a9b32faf50a47a83378aeed464bf42c2ca95292f2604 |
memory/1328-47-0x0000000000400000-0x00000000004B8000-memory.dmp
memory/1932-46-0x0000000000400000-0x0000000000519000-memory.dmp
memory/1932-50-0x0000000000400000-0x0000000000519000-memory.dmp
memory/1128-51-0x0000000000400000-0x00000000004B5000-memory.dmp
memory/1128-53-0x0000000000400000-0x00000000004B5000-memory.dmp
memory/1128-55-0x0000000000400000-0x00000000004B5000-memory.dmp
Analysis: behavioral1
Detonation Overview
Submitted
2024-08-11 00:47
Reported
2024-08-11 00:50
Platform
win7-20240708-en
Max time kernel
141s
Max time network
145s
Command Line
Signatures
Darkcomet
Drops file in Drivers directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\system32\drivers\etc\hosts | C:\Windows\Cheat Counter Strike.exe | N/A |
Event Triggered Execution: Image File Execution Options Injection
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SavService.exe\Debugger = "C:\\Windows\\MugeWara.exe" | C:\Windows\A new game and fun.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\Windows\\MugeWara.exe" | C:\Windows\A new game and fun.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\op_mon.exe | C:\Windows\A new game and fun.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\acs.exe | C:\Windows\A new game and fun.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe | C:\Windows\A new game and fun.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgfws8.exe\Debugger = "C:\\Windows\\MugeWara.exe" | C:\Windows\A new game and fun.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcshield.exe\Debugger = "C:\\Windows\\MugeWara.exe" | C:\Windows\A new game and fun.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mpfsrv.exe | C:\Windows\A new game and fun.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avastUI.exe | C:\Windows\A new game and fun.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe | C:\Windows\A new game and fun.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnsx.exe\Debugger = "C:\\Windows\\MugeWara.exe" | C:\Windows\A new game and fun.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcagent.exe\Debugger = "C:\\Windows\\MugeWara.exe" | C:\Windows\A new game and fun.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcproxy.exe | C:\Windows\A new game and fun.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcNASvc.exe | C:\Windows\A new game and fun.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SavService.exe | C:\Windows\A new game and fun.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32gui.exe | C:\Windows\A new game and fun.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgam.exe | C:\Windows\A new game and fun.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msksrver.exe | C:\Windows\A new game and fun.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sched.exe | C:\Windows\A new game and fun.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfp.exe | C:\Windows\A new game and fun.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe | C:\Windows\A new game and fun.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a2service.exe | C:\Windows\A new game and fun.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgwdsvc.exe | C:\Windows\A new game and fun.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe | C:\Windows\A new game and fun.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe\Debugger = "C:\\Windows\\MugeWara.exe" | C:\Windows\A new game and fun.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnsx.exe | C:\Windows\A new game and fun.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TFTray.exe\Debugger = "C:\\Windows\\MugeWara.exe" | C:\Windows\A new game and fun.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardxkickoff.exe\Debugger = "C:\\Windows\\MugeWara.exe" | C:\Windows\A new game and fun.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\afwServ.exe\Debugger = "C:\\Windows\\MugeWara.exe" | C:\Windows\A new game and fun.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TFService.exe | C:\Windows\A new game and fun.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcshield.exe | C:\Windows\A new game and fun.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcNASvc.exe\Debugger = "C:\\Windows\\MugeWara.exe" | C:\Windows\A new game and fun.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msksrver.exe\Debugger = "C:\\Windows\\MugeWara.exe" | C:\Windows\A new game and fun.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmdagent.exe\Debugger = "C:\\Windows\\MugeWara.exe" | C:\Windows\A new game and fun.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ALsvc.exe | C:\Windows\A new game and fun.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\op_mon.exe\Debugger = "C:\\Windows\\MugeWara.exe" | C:\Windows\A new game and fun.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe | C:\Windows\A new game and fun.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TFTray.exe | C:\Windows\A new game and fun.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcsysmon.exe\Debugger = "C:\\Windows\\MugeWara.exe" | C:\Windows\A new game and fun.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe\Debugger = "C:\\Windows\\MugeWara.exe" | C:\Windows\A new game and fun.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardxservice.exe\Debugger = "C:\\Windows\\MugeWara.exe" | C:\Windows\A new game and fun.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe\Debugger = "C:\\Windows\\MugeWara.exe" | C:\Windows\A new game and fun.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe\Debugger = "C:\\Windows\\MugeWara.exe" | C:\Windows\A new game and fun.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgwdsvc.exe\Debugger = "C:\\Windows\\MugeWara.exe" | C:\Windows\A new game and fun.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TFService.exe\Debugger = "C:\\Windows\\MugeWara.exe" | C:\Windows\A new game and fun.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcproxy.exe\Debugger = "C:\\Windows\\MugeWara.exe" | C:\Windows\A new game and fun.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe\Debugger = "C:\\Windows\\MugeWara.exe" | C:\Windows\A new game and fun.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe\Debugger = "C:\\Windows\\MugeWara.exe" | C:\Windows\A new game and fun.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32gui.exe\Debugger = "C:\\Windows\\MugeWara.exe" | C:\Windows\A new game and fun.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgtray.exe\Debugger = "C:\\Windows\\MugeWara.exe" | C:\Windows\A new game and fun.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ALMon.exe | C:\Windows\A new game and fun.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regedit.exe | C:\Windows\A new game and fun.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avastUI.exe\Debugger = "C:\\Windows\\MugeWara.exe" | C:\Windows\A new game and fun.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ALsvc.exe\Debugger = "C:\\Windows\\MugeWara.exe" | C:\Windows\A new game and fun.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regedit.exe\Debugger = "C:\\Windows\\MugeWara.exe" | C:\Windows\A new game and fun.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgfws8.exe | C:\Windows\A new game and fun.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgtray.exe | C:\Windows\A new game and fun.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avmailc.exe\Debugger = "C:\\Windows\\MugeWara.exe" | C:\Windows\A new game and fun.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avwebgrd.exe | C:\Windows\A new game and fun.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avwebgrd.exe\Debugger = "C:\\Windows\\MugeWara.exe" | C:\Windows\A new game and fun.exe | N/A |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardxkickoff.exe | C:\Windows\A new game and fun.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\acs.exe\Debugger = "C:\\Windows\\MugeWara.exe" | C:\Windows\A new game and fun.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sched.exe\Debugger = "C:\\Windows\\MugeWara.exe" | C:\Windows\A new game and fun.exe | N/A |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfp.exe\Debugger = "C:\\Windows\\MugeWara.exe" | C:\Windows\A new game and fun.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Cheat Counter Strike.exe | N/A |
| N/A | N/A | C:\Windows\sara_sexy.exe | N/A |
| N/A | N/A | C:\Windows\A new game and fun.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\MugeWara = "C:\\Windows\\MugeWara.exe" | C:\Windows\A new game and fun.exe | N/A |
AutoIT Executable
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\MugeWara.exe | C:\Windows\A new game and fun.exe | N/A |
| File opened for modification | C:\Windows\9.ico | C:\Windows\SysWOW64\DllHost.exe | N/A |
| File opened for modification | C:\Windows\sara_sexy.exe | C:\Users\Admin\AppData\Local\Temp\8857b84e74bd78ad49f04f6f8d0ce65a_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\A new game and fun.exe | C:\Windows\sara_sexy.exe | N/A |
| File created | C:\Windows\sara_sexy.exe | C:\Users\Admin\AppData\Local\Temp\8857b84e74bd78ad49f04f6f8d0ce65a_JaffaCakes118.exe | N/A |
| File created | C:\Windows\9.ico | C:\Windows\sara_sexy.exe | N/A |
| File opened for modification | C:\Windows\9.ico | C:\Windows\sara_sexy.exe | N/A |
| File created | C:\Windows\A new game and fun.exe | C:\Windows\sara_sexy.exe | N/A |
| File created | C:\Windows\Cheat Counter Strike.exe | C:\Users\Admin\AppData\Local\Temp\8857b84e74bd78ad49f04f6f8d0ce65a_JaffaCakes118.exe | N/A |
| File opened for modification | C:\Windows\Cheat Counter Strike.exe | C:\Users\Admin\AppData\Local\Temp\8857b84e74bd78ad49f04f6f8d0ce65a_JaffaCakes118.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Cheat Counter Strike.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\sara_sexy.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\DllHost.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\A new game and fun.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\8857b84e74bd78ad49f04f6f8d0ce65a_JaffaCakes118.exe | N/A |
Suspicious use of AdjustPrivilegeToken
| Description | Indicator | Process | Target |
| Token: SeIncreaseQuotaPrivilege | N/A | C:\Windows\Cheat Counter Strike.exe | N/A |
| Token: SeSecurityPrivilege | N/A | C:\Windows\Cheat Counter Strike.exe | N/A |
| Token: SeTakeOwnershipPrivilege | N/A | C:\Windows\Cheat Counter Strike.exe | N/A |
| Token: SeLoadDriverPrivilege | N/A | C:\Windows\Cheat Counter Strike.exe | N/A |
| Token: SeSystemProfilePrivilege | N/A | C:\Windows\Cheat Counter Strike.exe | N/A |
| Token: SeSystemtimePrivilege | N/A | C:\Windows\Cheat Counter Strike.exe | N/A |
| Token: SeProfSingleProcessPrivilege | N/A | C:\Windows\Cheat Counter Strike.exe | N/A |
| Token: SeIncBasePriorityPrivilege | N/A | C:\Windows\Cheat Counter Strike.exe | N/A |
| Token: SeCreatePagefilePrivilege | N/A | C:\Windows\Cheat Counter Strike.exe | N/A |
| Token: SeBackupPrivilege | N/A | C:\Windows\Cheat Counter Strike.exe | N/A |
| Token: SeRestorePrivilege | N/A | C:\Windows\Cheat Counter Strike.exe | N/A |
| Token: SeShutdownPrivilege | N/A | C:\Windows\Cheat Counter Strike.exe | N/A |
| Token: SeDebugPrivilege | N/A | C:\Windows\Cheat Counter Strike.exe | N/A |
| Token: SeSystemEnvironmentPrivilege | N/A | C:\Windows\Cheat Counter Strike.exe | N/A |
| Token: SeChangeNotifyPrivilege | N/A | C:\Windows\Cheat Counter Strike.exe | N/A |
| Token: SeRemoteShutdownPrivilege | N/A | C:\Windows\Cheat Counter Strike.exe | N/A |
| Token: SeUndockPrivilege | N/A | C:\Windows\Cheat Counter Strike.exe | N/A |
| Token: SeManageVolumePrivilege | N/A | C:\Windows\Cheat Counter Strike.exe | N/A |
| Token: SeImpersonatePrivilege | N/A | C:\Windows\Cheat Counter Strike.exe | N/A |
| Token: SeCreateGlobalPrivilege | N/A | C:\Windows\Cheat Counter Strike.exe | N/A |
| Token: 33 | N/A | C:\Windows\Cheat Counter Strike.exe | N/A |
| Token: 34 | N/A | C:\Windows\Cheat Counter Strike.exe | N/A |
| Token: 35 | N/A | C:\Windows\Cheat Counter Strike.exe | N/A |
Suspicious use of FindShellTrayWindow
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\A new game and fun.exe | N/A |
| N/A | N/A | C:\Windows\A new game and fun.exe | N/A |
| N/A | N/A | C:\Windows\A new game and fun.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\DllHost.exe | N/A |
Suspicious use of SendNotifyMessage
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\A new game and fun.exe | N/A |
| N/A | N/A | C:\Windows\A new game and fun.exe | N/A |
| N/A | N/A | C:\Windows\A new game and fun.exe | N/A |
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\Cheat Counter Strike.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\8857b84e74bd78ad49f04f6f8d0ce65a_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\8857b84e74bd78ad49f04f6f8d0ce65a_JaffaCakes118.exe"
C:\Windows\Cheat Counter Strike.exe
"C:\Windows\Cheat Counter Strike.exe"
C:\Windows\sara_sexy.exe
C:\Windows/sara_sexy.exe
C:\Windows\SysWOW64\DllHost.exe
C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}
C:\Windows\A new game and fun.exe
"C:\Windows/A new game and fun.exe"
Network
| Country | Destination | Domain | Proto |
| N/A | 192.168.1.2:1604 | tcp | |
| N/A | 192.168.1.2:1604 | tcp | |
| N/A | 192.168.1.2:1604 | tcp | |
| N/A | 192.168.1.2:1604 | tcp | |
| N/A | 192.168.1.2:1604 | tcp | |
| N/A | 192.168.1.2:1604 | tcp | |
| N/A | 192.168.1.2:1604 | tcp |
Files
memory/2512-0-0x0000000000400000-0x0000000000516000-memory.dmp
C:\Windows\sara_sexy.exe
| MD5 | 62cfa21a792fa76bcd8ce108afdf4517 |
| SHA1 | f04702cd7c91085c840b95b2de4a6726cf13a838 |
| SHA256 | 6febf4f5937805e186cbddd3e257719546f40c7b4b08052640c9c6927b66c490 |
| SHA512 | 2a755a1ad3fe122b97c1c77b4f87ba1164ea752f3a2fda997566cdde9ed185c23668f937113013eeba8818fb015f145d951f793ab15b027ede6b72ff3769d1cc |
C:\Windows\Cheat Counter Strike.exe
| MD5 | c0d1481589ba69abe6edde2c297ee5a2 |
| SHA1 | 55c0da236cd39bcf9935d25a15c0c35ab257cfc6 |
| SHA256 | cb1e144bca11f74425a9b52afaa443f07fca623e2a3834c142cf66c507386254 |
| SHA512 | 52b6ab4a235bbcc5477654e63066bf13b26e1209bf4c20a170179cf275fe42a7a5d79bb373f74151c465ad7b091d4c9ca2c86b67147ab2e8910867c1974b6349 |
memory/2512-26-0x0000000003360000-0x0000000003418000-memory.dmp
memory/2512-28-0x0000000000400000-0x0000000000516000-memory.dmp
memory/1340-29-0x00000000002F0000-0x00000000002F1000-memory.dmp
C:\Windows\A new game and fun.exe
| MD5 | c454ff16ee361aa3437cbd3652bb4c89 |
| SHA1 | aa18bc928ccca208f089d0527bc5fa05040e2cbe |
| SHA256 | b8e204574f58ece85b3546e30a20610eab2a3ab8d2f8102099bab2e6e19acbc7 |
| SHA512 | e14b021ee5dfe7707f69ed6892482cd4e70414d531f8c725a6004073d9d05114ecebe6725cf5092e09a4a9b32faf50a47a83378aeed464bf42c2ca95292f2604 |
memory/1856-42-0x00000000043F0000-0x00000000043F2000-memory.dmp
memory/2672-43-0x00000000001C0000-0x00000000001C2000-memory.dmp
memory/2852-49-0x0000000000400000-0x0000000000519000-memory.dmp
memory/1856-48-0x0000000000400000-0x00000000004B8000-memory.dmp
memory/2852-53-0x0000000000400000-0x0000000000519000-memory.dmp
C:\Windows\9.ico
| MD5 | 91c7c2ed9890658e1dbc71a8e616769d |
| SHA1 | ecdfa450d9e5bcbb13ad8d3052a75ec87f035180 |
| SHA256 | 66ae7fb55a45294ccfd55d91cacf3d9cfc9a73d8f5dc657de29c4e6570bb3262 |
| SHA512 | 91a59510622ab6f0f3f7a047546de6515301497540dc4af2d70b9b520811a62becc25212e35c7bcbd242985d3053244eca39d5b9273fc971501c8c3fc91deb0b |
memory/1340-55-0x0000000000400000-0x00000000004B5000-memory.dmp
memory/1340-57-0x0000000000400000-0x00000000004B5000-memory.dmp
memory/1340-59-0x0000000000400000-0x00000000004B5000-memory.dmp