Malware Analysis Report

2024-10-23 20:08

Sample ID 240811-a5la2a1dnd
Target 8857b84e74bd78ad49f04f6f8d0ce65a_JaffaCakes118
SHA256 3f48a0ac6fd7487e22566c17ca1eda2bc9bede54adb53cc12bcd6a6afd23cc71
Tags
darkcomet guest16 discovery persistence rat trojan upx
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

3f48a0ac6fd7487e22566c17ca1eda2bc9bede54adb53cc12bcd6a6afd23cc71

Threat Level: Known bad

The file 8857b84e74bd78ad49f04f6f8d0ce65a_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

darkcomet guest16 discovery persistence rat trojan upx

Darkcomet

Event Triggered Execution: Image File Execution Options Injection

Drops file in Drivers directory

Executes dropped EXE

Checks computer location settings

UPX packed file

Adds Run key to start application

AutoIT Executable

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of FindShellTrayWindow

Suspicious use of SendNotifyMessage

Suspicious use of SetWindowsHookEx

Suspicious use of AdjustPrivilegeToken

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-08-11 00:47

Signatures

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A

Analysis: behavioral2

Detonation Overview

Submitted

2024-08-11 00:47

Reported

2024-08-11 00:50

Platform

win10v2004-20240802-en

Max time kernel

141s

Max time network

131s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8857b84e74bd78ad49f04f6f8d0ce65a_JaffaCakes118.exe"

Signatures

Darkcomet

trojan rat darkcomet

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\Cheat Counter Strike.exe N/A

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TFService.exe C:\Windows\A new game and fun.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcsysmon.exe C:\Windows\A new game and fun.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SavService.exe\Debugger = "C:\\Windows\\MugeWara.exe" C:\Windows\A new game and fun.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcNASvc.exe\Debugger = "C:\\Windows\\MugeWara.exe" C:\Windows\A new game and fun.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ALsvc.exe C:\Windows\A new game and fun.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgam.exe\Debugger = "C:\\Windows\\MugeWara.exe" C:\Windows\A new game and fun.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe C:\Windows\A new game and fun.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avmailc.exe C:\Windows\A new game and fun.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmdagent.exe\Debugger = "C:\\Windows\\MugeWara.exe" C:\Windows\A new game and fun.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SavService.exe C:\Windows\A new game and fun.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe C:\Windows\A new game and fun.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe\Debugger = "C:\\Windows\\MugeWara.exe" C:\Windows\A new game and fun.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe C:\Windows\A new game and fun.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\acs.exe\Debugger = "C:\\Windows\\MugeWara.exe" C:\Windows\A new game and fun.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avastUI.exe C:\Windows\A new game and fun.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardxkickoff.exe\Debugger = "C:\\Windows\\MugeWara.exe" C:\Windows\A new game and fun.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32gui.exe C:\Windows\A new game and fun.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgfws8.exe C:\Windows\A new game and fun.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avwebgrd.exe C:\Windows\A new game and fun.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\op_mon.exe C:\Windows\A new game and fun.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TFService.exe\Debugger = "C:\\Windows\\MugeWara.exe" C:\Windows\A new game and fun.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sched.exe\Debugger = "C:\\Windows\\MugeWara.exe" C:\Windows\A new game and fun.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avmailc.exe\Debugger = "C:\\Windows\\MugeWara.exe" C:\Windows\A new game and fun.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regedit.exe C:\Windows\A new game and fun.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\afwServ.exe\Debugger = "C:\\Windows\\MugeWara.exe" C:\Windows\A new game and fun.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\acs.exe C:\Windows\A new game and fun.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe\Debugger = "C:\\Windows\\MugeWara.exe" C:\Windows\A new game and fun.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32gui.exe\Debugger = "C:\\Windows\\MugeWara.exe" C:\Windows\A new game and fun.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmdagent.exe C:\Windows\A new game and fun.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\afwServ.exe C:\Windows\A new game and fun.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TFTray.exe\Debugger = "C:\\Windows\\MugeWara.exe" C:\Windows\A new game and fun.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcagent.exe\Debugger = "C:\\Windows\\MugeWara.exe" C:\Windows\A new game and fun.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcproxy.exe\Debugger = "C:\\Windows\\MugeWara.exe" C:\Windows\A new game and fun.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a2service.exe\Debugger = "C:\\Windows\\MugeWara.exe" C:\Windows\A new game and fun.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgfws8.exe\Debugger = "C:\\Windows\\MugeWara.exe" C:\Windows\A new game and fun.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnsx.exe\Debugger = "C:\\Windows\\MugeWara.exe" C:\Windows\A new game and fun.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcshield.exe C:\Windows\A new game and fun.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mpfsrv.exe C:\Windows\A new game and fun.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe C:\Windows\A new game and fun.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe C:\Windows\A new game and fun.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe\Debugger = "C:\\Windows\\MugeWara.exe" C:\Windows\A new game and fun.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avastUI.exe\Debugger = "C:\\Windows\\MugeWara.exe" C:\Windows\A new game and fun.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\AvastSvc.exe C:\Windows\A new game and fun.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe\Debugger = "C:\\Windows\\MugeWara.exe" C:\Windows\A new game and fun.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgam.exe C:\Windows\A new game and fun.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ekrn.exe C:\Windows\A new game and fun.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msksrver.exe C:\Windows\A new game and fun.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msksrver.exe\Debugger = "C:\\Windows\\MugeWara.exe" C:\Windows\A new game and fun.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe C:\Windows\A new game and fun.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regedit.exe\Debugger = "C:\\Windows\\MugeWara.exe" C:\Windows\A new game and fun.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgtray.exe\Debugger = "C:\\Windows\\MugeWara.exe" C:\Windows\A new game and fun.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcNASvc.exe C:\Windows\A new game and fun.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcmsesvc.exe C:\Windows\A new game and fun.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcsysmon.exe\Debugger = "C:\\Windows\\MugeWara.exe" C:\Windows\A new game and fun.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avwebgrd.exe\Debugger = "C:\\Windows\\MugeWara.exe" C:\Windows\A new game and fun.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardxkickoff.exe C:\Windows\A new game and fun.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfp.exe C:\Windows\A new game and fun.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfp.exe\Debugger = "C:\\Windows\\MugeWara.exe" C:\Windows\A new game and fun.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\op_mon.exe\Debugger = "C:\\Windows\\MugeWara.exe" C:\Windows\A new game and fun.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgtray.exe C:\Windows\A new game and fun.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgwdsvc.exe C:\Windows\A new game and fun.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ALMon.exe C:\Windows\A new game and fun.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe\Debugger = "C:\\Windows\\MugeWara.exe" C:\Windows\A new game and fun.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sched.exe C:\Windows\A new game and fun.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\8857b84e74bd78ad49f04f6f8d0ce65a_JaffaCakes118.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Cheat Counter Strike.exe N/A
N/A N/A C:\Windows\sara_sexy.exe N/A
N/A N/A C:\Windows\A new game and fun.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MugeWara = "C:\\Windows\\MugeWara.exe" C:\Windows\A new game and fun.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\MugeWara.exe C:\Windows\A new game and fun.exe N/A
File opened for modification C:\Windows\sara_sexy.exe C:\Users\Admin\AppData\Local\Temp\8857b84e74bd78ad49f04f6f8d0ce65a_JaffaCakes118.exe N/A
File created C:\Windows\9.ico C:\Windows\sara_sexy.exe N/A
File opened for modification C:\Windows\9.ico C:\Windows\sara_sexy.exe N/A
File opened for modification C:\Windows\A new game and fun.exe C:\Windows\sara_sexy.exe N/A
File created C:\Windows\Cheat Counter Strike.exe C:\Users\Admin\AppData\Local\Temp\8857b84e74bd78ad49f04f6f8d0ce65a_JaffaCakes118.exe N/A
File opened for modification C:\Windows\Cheat Counter Strike.exe C:\Users\Admin\AppData\Local\Temp\8857b84e74bd78ad49f04f6f8d0ce65a_JaffaCakes118.exe N/A
File created C:\Windows\sara_sexy.exe C:\Users\Admin\AppData\Local\Temp\8857b84e74bd78ad49f04f6f8d0ce65a_JaffaCakes118.exe N/A
File created C:\Windows\A new game and fun.exe C:\Windows\sara_sexy.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8857b84e74bd78ad49f04f6f8d0ce65a_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Cheat Counter Strike.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\sara_sexy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\A new game and fun.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\Cheat Counter Strike.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Cheat Counter Strike.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\Cheat Counter Strike.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\Cheat Counter Strike.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\Cheat Counter Strike.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\Cheat Counter Strike.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\Cheat Counter Strike.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Cheat Counter Strike.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Cheat Counter Strike.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Cheat Counter Strike.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Cheat Counter Strike.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Cheat Counter Strike.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Cheat Counter Strike.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\Cheat Counter Strike.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\Cheat Counter Strike.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\Cheat Counter Strike.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\Cheat Counter Strike.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\Cheat Counter Strike.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\Cheat Counter Strike.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\Cheat Counter Strike.exe N/A
Token: 33 N/A C:\Windows\Cheat Counter Strike.exe N/A
Token: 34 N/A C:\Windows\Cheat Counter Strike.exe N/A
Token: 35 N/A C:\Windows\Cheat Counter Strike.exe N/A
Token: 36 N/A C:\Windows\Cheat Counter Strike.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\A new game and fun.exe N/A
N/A N/A C:\Windows\A new game and fun.exe N/A
N/A N/A C:\Windows\A new game and fun.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\A new game and fun.exe N/A
N/A N/A C:\Windows\A new game and fun.exe N/A
N/A N/A C:\Windows\A new game and fun.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Cheat Counter Strike.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\8857b84e74bd78ad49f04f6f8d0ce65a_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\8857b84e74bd78ad49f04f6f8d0ce65a_JaffaCakes118.exe"

C:\Windows\Cheat Counter Strike.exe

"C:\Windows\Cheat Counter Strike.exe"

C:\Windows\sara_sexy.exe

C:\Windows/sara_sexy.exe

C:\Windows\A new game and fun.exe

"C:\Windows/A new game and fun.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 154.239.44.20.in-addr.arpa udp
US 8.8.8.8:53 4.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 26.35.223.20.in-addr.arpa udp
US 8.8.8.8:53 28.118.140.52.in-addr.arpa udp
N/A 192.168.1.2:1604 tcp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 157.123.68.40.in-addr.arpa udp
US 8.8.8.8:53 198.187.3.20.in-addr.arpa udp
US 8.8.8.8:53 55.36.223.20.in-addr.arpa udp
US 8.8.8.8:53 48.229.111.52.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/1428-0-0x0000000000400000-0x0000000000516000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aut978E.tmp

MD5 62cfa21a792fa76bcd8ce108afdf4517
SHA1 f04702cd7c91085c840b95b2de4a6726cf13a838
SHA256 6febf4f5937805e186cbddd3e257719546f40c7b4b08052640c9c6927b66c490
SHA512 2a755a1ad3fe122b97c1c77b4f87ba1164ea752f3a2fda997566cdde9ed185c23668f937113013eeba8818fb015f145d951f793ab15b027ede6b72ff3769d1cc

C:\Windows\Cheat Counter Strike.exe

MD5 c0d1481589ba69abe6edde2c297ee5a2
SHA1 55c0da236cd39bcf9935d25a15c0c35ab257cfc6
SHA256 cb1e144bca11f74425a9b52afaa443f07fca623e2a3834c142cf66c507386254
SHA512 52b6ab4a235bbcc5477654e63066bf13b26e1209bf4c20a170179cf275fe42a7a5d79bb373f74151c465ad7b091d4c9ca2c86b67147ab2e8910867c1974b6349

memory/1428-28-0x0000000000400000-0x0000000000516000-memory.dmp

memory/1128-29-0x00000000006A0000-0x00000000006A1000-memory.dmp

memory/1328-27-0x0000000000400000-0x00000000004B8000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\aut9A8B.tmp

MD5 c454ff16ee361aa3437cbd3652bb4c89
SHA1 aa18bc928ccca208f089d0527bc5fa05040e2cbe
SHA256 b8e204574f58ece85b3546e30a20610eab2a3ab8d2f8102099bab2e6e19acbc7
SHA512 e14b021ee5dfe7707f69ed6892482cd4e70414d531f8c725a6004073d9d05114ecebe6725cf5092e09a4a9b32faf50a47a83378aeed464bf42c2ca95292f2604

memory/1328-47-0x0000000000400000-0x00000000004B8000-memory.dmp

memory/1932-46-0x0000000000400000-0x0000000000519000-memory.dmp

memory/1932-50-0x0000000000400000-0x0000000000519000-memory.dmp

memory/1128-51-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/1128-53-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/1128-55-0x0000000000400000-0x00000000004B5000-memory.dmp

Analysis: behavioral1

Detonation Overview

Submitted

2024-08-11 00:47

Reported

2024-08-11 00:50

Platform

win7-20240708-en

Max time kernel

141s

Max time network

145s

Command Line

"C:\Users\Admin\AppData\Local\Temp\8857b84e74bd78ad49f04f6f8d0ce65a_JaffaCakes118.exe"

Signatures

Darkcomet

trojan rat darkcomet

Drops file in Drivers directory

Description Indicator Process Target
File opened for modification C:\Windows\system32\drivers\etc\hosts C:\Windows\Cheat Counter Strike.exe N/A

Event Triggered Execution: Image File Execution Options Injection

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SavService.exe\Debugger = "C:\\Windows\\MugeWara.exe" C:\Windows\A new game and fun.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\taskmgr.exe\Debugger = "C:\\Windows\\MugeWara.exe" C:\Windows\A new game and fun.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\op_mon.exe C:\Windows\A new game and fun.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\acs.exe C:\Windows\A new game and fun.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe C:\Windows\A new game and fun.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgfws8.exe\Debugger = "C:\\Windows\\MugeWara.exe" C:\Windows\A new game and fun.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcshield.exe\Debugger = "C:\\Windows\\MugeWara.exe" C:\Windows\A new game and fun.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mpfsrv.exe C:\Windows\A new game and fun.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avastUI.exe C:\Windows\A new game and fun.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe C:\Windows\A new game and fun.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnsx.exe\Debugger = "C:\\Windows\\MugeWara.exe" C:\Windows\A new game and fun.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcagent.exe\Debugger = "C:\\Windows\\MugeWara.exe" C:\Windows\A new game and fun.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcproxy.exe C:\Windows\A new game and fun.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcNASvc.exe C:\Windows\A new game and fun.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\SavService.exe C:\Windows\A new game and fun.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32gui.exe C:\Windows\A new game and fun.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgam.exe C:\Windows\A new game and fun.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msksrver.exe C:\Windows\A new game and fun.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sched.exe C:\Windows\A new game and fun.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfp.exe C:\Windows\A new game and fun.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe C:\Windows\A new game and fun.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\a2service.exe C:\Windows\A new game and fun.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgwdsvc.exe C:\Windows\A new game and fun.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe C:\Windows\A new game and fun.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe\Debugger = "C:\\Windows\\MugeWara.exe" C:\Windows\A new game and fun.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnsx.exe C:\Windows\A new game and fun.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TFTray.exe\Debugger = "C:\\Windows\\MugeWara.exe" C:\Windows\A new game and fun.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardxkickoff.exe\Debugger = "C:\\Windows\\MugeWara.exe" C:\Windows\A new game and fun.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\afwServ.exe\Debugger = "C:\\Windows\\MugeWara.exe" C:\Windows\A new game and fun.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TFService.exe C:\Windows\A new game and fun.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcshield.exe C:\Windows\A new game and fun.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcNASvc.exe\Debugger = "C:\\Windows\\MugeWara.exe" C:\Windows\A new game and fun.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\msksrver.exe\Debugger = "C:\\Windows\\MugeWara.exe" C:\Windows\A new game and fun.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cmdagent.exe\Debugger = "C:\\Windows\\MugeWara.exe" C:\Windows\A new game and fun.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ALsvc.exe C:\Windows\A new game and fun.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\op_mon.exe\Debugger = "C:\\Windows\\MugeWara.exe" C:\Windows\A new game and fun.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ccSvcHst.exe C:\Windows\A new game and fun.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TFTray.exe C:\Windows\A new game and fun.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcsysmon.exe\Debugger = "C:\\Windows\\MugeWara.exe" C:\Windows\A new game and fun.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgnt.exe\Debugger = "C:\\Windows\\MugeWara.exe" C:\Windows\A new game and fun.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardxservice.exe\Debugger = "C:\\Windows\\MugeWara.exe" C:\Windows\A new game and fun.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\egui.exe\Debugger = "C:\\Windows\\MugeWara.exe" C:\Windows\A new game and fun.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32krn.exe\Debugger = "C:\\Windows\\MugeWara.exe" C:\Windows\A new game and fun.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgwdsvc.exe\Debugger = "C:\\Windows\\MugeWara.exe" C:\Windows\A new game and fun.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\TFService.exe\Debugger = "C:\\Windows\\MugeWara.exe" C:\Windows\A new game and fun.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\mcproxy.exe\Debugger = "C:\\Windows\\MugeWara.exe" C:\Windows\A new game and fun.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avguard.exe\Debugger = "C:\\Windows\\MugeWara.exe" C:\Windows\A new game and fun.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avp.exe\Debugger = "C:\\Windows\\MugeWara.exe" C:\Windows\A new game and fun.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\nod32gui.exe\Debugger = "C:\\Windows\\MugeWara.exe" C:\Windows\A new game and fun.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgtray.exe\Debugger = "C:\\Windows\\MugeWara.exe" C:\Windows\A new game and fun.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ALMon.exe C:\Windows\A new game and fun.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regedit.exe C:\Windows\A new game and fun.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avastUI.exe\Debugger = "C:\\Windows\\MugeWara.exe" C:\Windows\A new game and fun.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\ALsvc.exe\Debugger = "C:\\Windows\\MugeWara.exe" C:\Windows\A new game and fun.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\Regedit.exe\Debugger = "C:\\Windows\\MugeWara.exe" C:\Windows\A new game and fun.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgfws8.exe C:\Windows\A new game and fun.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avgtray.exe C:\Windows\A new game and fun.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avmailc.exe\Debugger = "C:\\Windows\\MugeWara.exe" C:\Windows\A new game and fun.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avwebgrd.exe C:\Windows\A new game and fun.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\avwebgrd.exe\Debugger = "C:\\Windows\\MugeWara.exe" C:\Windows\A new game and fun.exe N/A
Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\guardxkickoff.exe C:\Windows\A new game and fun.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\acs.exe\Debugger = "C:\\Windows\\MugeWara.exe" C:\Windows\A new game and fun.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\sched.exe\Debugger = "C:\\Windows\\MugeWara.exe" C:\Windows\A new game and fun.exe N/A
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Image File Execution Options\cfp.exe\Debugger = "C:\\Windows\\MugeWara.exe" C:\Windows\A new game and fun.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Windows\Cheat Counter Strike.exe N/A
N/A N/A C:\Windows\sara_sexy.exe N/A
N/A N/A C:\Windows\A new game and fun.exe N/A

UPX packed file

upx
Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\MugeWara = "C:\\Windows\\MugeWara.exe" C:\Windows\A new game and fun.exe N/A

AutoIT Executable

Description Indicator Process Target
N/A N/A N/A N/A
N/A N/A N/A N/A
N/A N/A N/A N/A

Drops file in Windows directory

Description Indicator Process Target
File created C:\Windows\MugeWara.exe C:\Windows\A new game and fun.exe N/A
File opened for modification C:\Windows\9.ico C:\Windows\SysWOW64\DllHost.exe N/A
File opened for modification C:\Windows\sara_sexy.exe C:\Users\Admin\AppData\Local\Temp\8857b84e74bd78ad49f04f6f8d0ce65a_JaffaCakes118.exe N/A
File opened for modification C:\Windows\A new game and fun.exe C:\Windows\sara_sexy.exe N/A
File created C:\Windows\sara_sexy.exe C:\Users\Admin\AppData\Local\Temp\8857b84e74bd78ad49f04f6f8d0ce65a_JaffaCakes118.exe N/A
File created C:\Windows\9.ico C:\Windows\sara_sexy.exe N/A
File opened for modification C:\Windows\9.ico C:\Windows\sara_sexy.exe N/A
File created C:\Windows\A new game and fun.exe C:\Windows\sara_sexy.exe N/A
File created C:\Windows\Cheat Counter Strike.exe C:\Users\Admin\AppData\Local\Temp\8857b84e74bd78ad49f04f6f8d0ce65a_JaffaCakes118.exe N/A
File opened for modification C:\Windows\Cheat Counter Strike.exe C:\Users\Admin\AppData\Local\Temp\8857b84e74bd78ad49f04f6f8d0ce65a_JaffaCakes118.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Cheat Counter Strike.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\sara_sexy.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\DllHost.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\A new game and fun.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\8857b84e74bd78ad49f04f6f8d0ce65a_JaffaCakes118.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\Cheat Counter Strike.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Cheat Counter Strike.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\Cheat Counter Strike.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\Cheat Counter Strike.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\Cheat Counter Strike.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\Cheat Counter Strike.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\Cheat Counter Strike.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Cheat Counter Strike.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Cheat Counter Strike.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Cheat Counter Strike.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Cheat Counter Strike.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Cheat Counter Strike.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Cheat Counter Strike.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\Cheat Counter Strike.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\Cheat Counter Strike.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\Cheat Counter Strike.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\Cheat Counter Strike.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\Cheat Counter Strike.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\Cheat Counter Strike.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\Cheat Counter Strike.exe N/A
Token: 33 N/A C:\Windows\Cheat Counter Strike.exe N/A
Token: 34 N/A C:\Windows\Cheat Counter Strike.exe N/A
Token: 35 N/A C:\Windows\Cheat Counter Strike.exe N/A

Suspicious use of FindShellTrayWindow

Description Indicator Process Target
N/A N/A C:\Windows\A new game and fun.exe N/A
N/A N/A C:\Windows\A new game and fun.exe N/A
N/A N/A C:\Windows\A new game and fun.exe N/A
N/A N/A C:\Windows\SysWOW64\DllHost.exe N/A

Suspicious use of SendNotifyMessage

Description Indicator Process Target
N/A N/A C:\Windows\A new game and fun.exe N/A
N/A N/A C:\Windows\A new game and fun.exe N/A
N/A N/A C:\Windows\A new game and fun.exe N/A

Suspicious use of SetWindowsHookEx

Description Indicator Process Target
N/A N/A C:\Windows\Cheat Counter Strike.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2512 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\8857b84e74bd78ad49f04f6f8d0ce65a_JaffaCakes118.exe C:\Windows\Cheat Counter Strike.exe
PID 2512 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\8857b84e74bd78ad49f04f6f8d0ce65a_JaffaCakes118.exe C:\Windows\Cheat Counter Strike.exe
PID 2512 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\8857b84e74bd78ad49f04f6f8d0ce65a_JaffaCakes118.exe C:\Windows\Cheat Counter Strike.exe
PID 2512 wrote to memory of 1340 N/A C:\Users\Admin\AppData\Local\Temp\8857b84e74bd78ad49f04f6f8d0ce65a_JaffaCakes118.exe C:\Windows\Cheat Counter Strike.exe
PID 2512 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\8857b84e74bd78ad49f04f6f8d0ce65a_JaffaCakes118.exe C:\Windows\sara_sexy.exe
PID 2512 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\8857b84e74bd78ad49f04f6f8d0ce65a_JaffaCakes118.exe C:\Windows\sara_sexy.exe
PID 2512 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\8857b84e74bd78ad49f04f6f8d0ce65a_JaffaCakes118.exe C:\Windows\sara_sexy.exe
PID 2512 wrote to memory of 1856 N/A C:\Users\Admin\AppData\Local\Temp\8857b84e74bd78ad49f04f6f8d0ce65a_JaffaCakes118.exe C:\Windows\sara_sexy.exe
PID 1856 wrote to memory of 2852 N/A C:\Windows\sara_sexy.exe C:\Windows\A new game and fun.exe
PID 1856 wrote to memory of 2852 N/A C:\Windows\sara_sexy.exe C:\Windows\A new game and fun.exe
PID 1856 wrote to memory of 2852 N/A C:\Windows\sara_sexy.exe C:\Windows\A new game and fun.exe
PID 1856 wrote to memory of 2852 N/A C:\Windows\sara_sexy.exe C:\Windows\A new game and fun.exe

Processes

C:\Users\Admin\AppData\Local\Temp\8857b84e74bd78ad49f04f6f8d0ce65a_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\8857b84e74bd78ad49f04f6f8d0ce65a_JaffaCakes118.exe"

C:\Windows\Cheat Counter Strike.exe

"C:\Windows\Cheat Counter Strike.exe"

C:\Windows\sara_sexy.exe

C:\Windows/sara_sexy.exe

C:\Windows\SysWOW64\DllHost.exe

C:\Windows\SysWOW64\DllHost.exe /Processid:{76D0CB12-7604-4048-B83C-1005C7DDC503}

C:\Windows\A new game and fun.exe

"C:\Windows/A new game and fun.exe"

Network

Country Destination Domain Proto
N/A 192.168.1.2:1604 tcp
N/A 192.168.1.2:1604 tcp
N/A 192.168.1.2:1604 tcp
N/A 192.168.1.2:1604 tcp
N/A 192.168.1.2:1604 tcp
N/A 192.168.1.2:1604 tcp
N/A 192.168.1.2:1604 tcp

Files

memory/2512-0-0x0000000000400000-0x0000000000516000-memory.dmp

C:\Windows\sara_sexy.exe

MD5 62cfa21a792fa76bcd8ce108afdf4517
SHA1 f04702cd7c91085c840b95b2de4a6726cf13a838
SHA256 6febf4f5937805e186cbddd3e257719546f40c7b4b08052640c9c6927b66c490
SHA512 2a755a1ad3fe122b97c1c77b4f87ba1164ea752f3a2fda997566cdde9ed185c23668f937113013eeba8818fb015f145d951f793ab15b027ede6b72ff3769d1cc

C:\Windows\Cheat Counter Strike.exe

MD5 c0d1481589ba69abe6edde2c297ee5a2
SHA1 55c0da236cd39bcf9935d25a15c0c35ab257cfc6
SHA256 cb1e144bca11f74425a9b52afaa443f07fca623e2a3834c142cf66c507386254
SHA512 52b6ab4a235bbcc5477654e63066bf13b26e1209bf4c20a170179cf275fe42a7a5d79bb373f74151c465ad7b091d4c9ca2c86b67147ab2e8910867c1974b6349

memory/2512-26-0x0000000003360000-0x0000000003418000-memory.dmp

memory/2512-28-0x0000000000400000-0x0000000000516000-memory.dmp

memory/1340-29-0x00000000002F0000-0x00000000002F1000-memory.dmp

C:\Windows\A new game and fun.exe

MD5 c454ff16ee361aa3437cbd3652bb4c89
SHA1 aa18bc928ccca208f089d0527bc5fa05040e2cbe
SHA256 b8e204574f58ece85b3546e30a20610eab2a3ab8d2f8102099bab2e6e19acbc7
SHA512 e14b021ee5dfe7707f69ed6892482cd4e70414d531f8c725a6004073d9d05114ecebe6725cf5092e09a4a9b32faf50a47a83378aeed464bf42c2ca95292f2604

memory/1856-42-0x00000000043F0000-0x00000000043F2000-memory.dmp

memory/2672-43-0x00000000001C0000-0x00000000001C2000-memory.dmp

memory/2852-49-0x0000000000400000-0x0000000000519000-memory.dmp

memory/1856-48-0x0000000000400000-0x00000000004B8000-memory.dmp

memory/2852-53-0x0000000000400000-0x0000000000519000-memory.dmp

C:\Windows\9.ico

MD5 91c7c2ed9890658e1dbc71a8e616769d
SHA1 ecdfa450d9e5bcbb13ad8d3052a75ec87f035180
SHA256 66ae7fb55a45294ccfd55d91cacf3d9cfc9a73d8f5dc657de29c4e6570bb3262
SHA512 91a59510622ab6f0f3f7a047546de6515301497540dc4af2d70b9b520811a62becc25212e35c7bcbd242985d3053244eca39d5b9273fc971501c8c3fc91deb0b

memory/1340-55-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/1340-57-0x0000000000400000-0x00000000004B5000-memory.dmp

memory/1340-59-0x0000000000400000-0x00000000004B5000-memory.dmp