darkcomet | 2ed7d9a7249ca29a607da1c1e2a91cb75f9e9c9c19a8f34fa02d15fdd565af06

Analysis

max time kernel
145s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20240802-en
resource tags

arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system
submitted
13-08-2024 13:30

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

934848d0db1061bcedac028bbdf3fcff_JaffaCakes118.exe
Size

1.8MB
MD5

934848d0db1061bcedac028bbdf3fcff
SHA1

7eae11e0aaa6a2bfefb37537c1f7df28f8043149
SHA256

2ed7d9a7249ca29a607da1c1e2a91cb75f9e9c9c19a8f34fa02d15fdd565af06
SHA512

6f4275d3828b40ce6629d4cbcf36ab44c953c91a131375cb591008fbde7840125366ccbd248738f1aa6ed31618f4ff45dc758d11a9564bb8cb611086ba58d853
SSDEEP

24576:8Tv8IaE4o4xKc4dl/AjR5ZbfDWItOtqAK2MB/lAdizMzBIqjwoljui:Kv8I3pWF4D4HZv/4in/SizM7F

Score

10^/10

darkcomet isrstealer sexy_dah credential_access discovery evasion persistence rat spyware stealer trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

sexy_dah

dc.jong.li:1604

Mutex

DCMIN_MUTEX-7Q30C88

Attributes

InstallPath
ANZ\DCR.exe
gencode
oM0WgwgmE3HS
install
true
offline_keylogger
true
persistence
false
reg_key
DCR

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
ISR Stealer
ISR Stealer is a modified version of Hackhound Stealer written in visual basic.
trojan stealer isrstealer

ISR Stealer payload 4 IoCs

Processes:

resource	yara_rule
behavioral2/memory/4888-14-0x0000000000400000-0x0000000000435000-memory.dmp	family_isrstealer
behavioral2/memory/4888-17-0x0000000000400000-0x0000000000435000-memory.dmp	family_isrstealer
behavioral2/memory/4888-82-0x0000000000400000-0x0000000000435000-memory.dmp	family_isrstealer
behavioral2/memory/4888-222-0x0000000000400000-0x0000000000435000-memory.dmp	family_isrstealer

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

setup.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\ANZ\\DCR.exe"	setup.exe

Credentials from Password Stores: Credentials from Web Browsers 1 TTPs
Malicious Access or copy of Web Browser Credential store.
credential_access stealer

Credentials from Web Browsers
T1555.003

Checks computer location settings 2 TTPs 2 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

setup.exeINSTAL~1.EXE

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	setup.exe
Key value queried	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Control Panel\International\Geo\Nation	INSTAL~1.EXE

Executes dropped EXE 10 IoCs

Processes:

setup.exeregister.exeregister.exeregister.exesetup.exesetup.exeDCR.exeINSTAL~1.EXEINSTAL~1.exeDCR.exe

pid	Process
3824	setup.exe
4300	register.exe
4888	register.exe
2680	register.exe
1800	setup.exe
4536	setup.exe
1616	DCR.exe
840	INSTAL~1.EXE
4700	INSTAL~1.exe
2236	DCR.exe

Identifies Wine through registry keys 2 TTPs 3 IoCs

Wine is a compatibility layer capable of running Windows applications, which can be used as sandboxing environment.

evasion

Query Registry

T1012

Virtualization/Sandbox Evasion

T1497

Processes:

description	ioc	Process
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Wine	register.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Wine	setup.exe
Key opened	\REGISTRY\MACHINE\Software\WOW6432Node\Wine	DCR.exe

Reads user/profile data of web browsers 2 TTPs
Infostealers often target stored browser data, which can include saved credentials etc.
spyware stealer

Data from Local System
T1005

Credentials In Files
T1552.001

UPX packed file 10 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral2/memory/2680-22-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/2680-24-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/2680-25-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/2680-26-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/memory/2680-30-0x0000000000400000-0x0000000000453000-memory.dmp	upx
behavioral2/files/0x000700000002341b-52.dat	upx
behavioral2/memory/840-54-0x0000000000EF0000-0x0000000000F68000-memory.dmp	upx
behavioral2/memory/4700-83-0x0000000000A30000-0x0000000000AA8000-memory.dmp	upx
behavioral2/memory/840-85-0x0000000000EF0000-0x0000000000F68000-memory.dmp	upx
behavioral2/memory/4700-219-0x0000000000A30000-0x0000000000AA8000-memory.dmp	upx

Adds Run key to start application 2 TTPs 5 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

934848d0db1061bcedac028bbdf3fcff_JaffaCakes118.exesetup.exesetup.exesetup.exeDCR.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup0 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP000.TMP\\\""	934848d0db1061bcedac028bbdf3fcff_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\RunOnce\wextract_cleanup1 = "rundll32.exe C:\\Windows\\system32\\advpack.dll,DelNodeRunDLL32 \"C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\\""	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DCR = "C:\\Users\\Admin\\AppData\\Roaming\\ANZ\\DCR.exe"	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\setup = "C:\\Users\\Admin\\AppData\\Local\\Temp\\IXP001.TMP\\setup.exe"	setup.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DCR = "C:\\Users\\Admin\\AppData\\Roaming\\ANZ\\DCR.exe"	DCR.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

description	pid	Process	procid_target
PID 4300 set thread context of 4888	4300	register.exe	89
PID 4888 set thread context of 2680	4888	register.exe	90
PID 1800 set thread context of 4536	1800	setup.exe	97
PID 1616 set thread context of 2236	1616	DCR.exe	101

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

934848d0db1061bcedac028bbdf3fcff_JaffaCakes118.exesetup.exeINSTAL~1.EXEDCR.exeINSTAL~1.exeDCR.exesetup.exeregister.exeregister.exeregister.exesetup.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	934848d0db1061bcedac028bbdf3fcff_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	INSTAL~1.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DCR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	INSTAL~1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	DCR.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	register.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	register.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	register.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	setup.exe

Modifies Internet Explorer settings 1 TTPs 4 IoCs

adware spyware

Modify Registry

T1112

Processes:

INSTAL~1.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	INSTAL~1.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\IESettingSync	INSTAL~1.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\SOFTWARE\Microsoft\Internet Explorer\IESettingSync\SlowSettingTypesChanged = "2"	INSTAL~1.exe
Key created	\REGISTRY\USER\S-1-5-21-2392887640-1187051047-2909758433-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	INSTAL~1.exe

Modifies system certificate store 2 TTPs 5 IoCs

evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

Processes:

INSTAL~1.EXE

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5	INSTAL~1.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 040000000100000010000000cb17e431673ee209fe455793f30afa1c0f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c953000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c07f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030109000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703016200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df1400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331330b000000010000001200000056006500720069005300690067006e0000001d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3617e000000010000000800000000c0032f2df8d6016800000001000000000000000300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e5190000000100000010000000d8b5fb368468620275d142ffd2aade372000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	INSTAL~1.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\4EB6D578499B1CCF5F581EAD56BE3D9B6744A5E5\Blob = 5c000000010000000400000000080000190000000100000010000000d8b5fb368468620275d142ffd2aade370300000001000000140000004eb6d578499b1ccf5f581ead56be3d9b6744a5e56800000001000000000000007e000000010000000800000000c0032f2df8d6011d0000000100000010000000c6cbcafa17955c4cfd41eca0c654c3610b000000010000001200000056006500720069005300690067006e0000001400000001000000140000007fd365a7c2ddecbbf03009f34339fa02af3331336200000001000000200000009acfab7e43c8d880d06b262a94deeee4b4659989c3d0caf19baf6405e41ab7df09000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b060105050703017f000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030153000000010000006300000030613021060b6086480186f8450107170630123010060a2b0601040182373c0101030200c0301f06096086480186fd6c020130123010060a2b0601040182373c0101030200c0301b060567810c010330123010060a2b0601040182373c0101030200c00f0000000100000014000000e91e1e972b8f467ab4e0598fa92285387dee94c9040000000100000010000000cb17e431673ee209fe455793f30afa1c2000000001000000d7040000308204d3308203bba003020102021018dad19e267de8bb4a2158cdcc6b3b4a300d06092a864886f70d01010505003081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d204735301e170d3036313130383030303030305a170d3336303731363233353935395a3081ca310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e311f301d060355040b1316566572695369676e205472757374204e6574776f726b313a3038060355040b1331286329203230303620566572695369676e2c20496e632e202d20466f7220617574686f72697a656420757365206f6e6c79314530430603550403133c566572695369676e20436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479202d20473530820122300d06092a864886f70d01010105000382010f003082010a0282010100af240808297a359e600caae74b3b4edc7cbc3c451cbb2be0fe2902f95708a364851527f5f1adc831895d22e82aaaa642b38ff8b955b7b1b74bb3fe8f7e0757ecef43db66621561cf600da4d8def8e0c362083d5413eb49ca59548526e52b8f1b9febf5a191c23349d843636a524bd28fe870514dd189697bc770f6b3dc1274db7b5d4b56d396bf1577a1b0f4a225f2af1c926718e5f40604ef90b9e400e4dd3ab519ff02baf43ceee08beb378becf4d7acf2f6f03dafdd759133191d1c40cb7424192193d914feac2a52c78fd50449e48d6347883c6983cbfe47bd2b7e4fc595ae0e9dd4d143c06773e314087ee53f9f73b8330acf5d3f3487968aee53e825150203010001a381b23081af300f0603551d130101ff040530030101ff300e0603551d0f0101ff040403020106306d06082b0601050507010c0461305fa15da05b3059305730551609696d6167652f6769663021301f300706052b0e03021a04148fe5d31a86ac8d8e6bc3cf806ad448182c7b192e30251623687474703a2f2f6c6f676f2e766572697369676e2e636f6d2f76736c6f676f2e676966301d0603551d0e041604147fd365a7c2ddecbbf03009f34339fa02af333133300d06092a864886f70d0101050500038201010093244a305f62cfd81a982f3deadc992dbd77f6a5792238ecc4a7a07812ad620e457064c5e797662d98097e5fafd6cc2865f201aa081a47def9f97c925a0869200dd93e6d6e3c0d6ed8e606914018b9f8c1eddfdb41aae09620c9cd64153881c994eea284290b136f8edb0cdd2502dba48b1944d2417a05694a584f60ca7e826a0b02aa251739b5db7fe784652a958abd86de5e8116832d10ccdefda8822a6d281f0d0bc4e5e71a2619e1f4116f10b595fce7420532dbce9d515e28b69e85d35befa57d4540728eb70e6b0e06fb33354871b89d278bc4655f0d86769c447af6955cf65d320833a454b6183f685cf2424a853854835fd1e82cf2ac11d6a8ed636a	INSTAL~1.EXE
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2	INSTAL~1.EXE
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\742C3192E607E424EB4549542BE1BBC53E6174E2\Blob = 5c0000000100000004000000000400007e0000000100000008000000000010c51e92d201620000000100000020000000e7685634efacf69ace939a6b255b7b4fabef42935b50a265acb5cb6027e44e7009000000010000002a000000302806082b0601050507030206082b0601050507030306082b0601050507030406082b0601050507030119000000010000001000000091161b894b117ecdc257628db460cc04030000000100000014000000742c3192e607e424eb4549542be1bbc53e6174e21d000000010000001000000027b3517667331ce2c1e74002b5ff2298140000000100000014000000e27f7bd877d5df9e0a3f9eb4cb0e2ea9efdb69770b000000010000004600000056006500720069005300690067006e00200043006c006100730073002000330020005000750062006c006900630020005000720069006d00610072007900200043004100000004000000010000001000000010fc635df6263e0df325be5f79cd67670f0000000100000010000000d7c63be0837dbabf881d4fbf5f986ad853000000010000002400000030223020060a2b0601040182375e010130123010060a2b0601040182373c0101030200c07a000000010000000e000000300c060a2b0601040182375e010268000000010000000800000000003db65bd9d5012000000001000000400200003082023c308201a5021070bae41d10d92934b638ca7b03ccbabf300d06092a864886f70d0101020500305f310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f72697479301e170d3936303132393030303030305a170d3238303830313233353935395a305f310b300906035504061302555331173015060355040a130e566572695369676e2c20496e632e31373035060355040b132e436c6173732033205075626c6963205072696d6172792043657274696669636174696f6e20417574686f7269747930819f300d06092a864886f70d010101050003818d0030818902818100c95c599ef21b8a0114b410df0440dbe357af6a45408f840c0bd133d9d911cfee02581f25f72aa84405aaec031f787f9e93b99a00aa237dd6ac85a26345c77227ccf44cc67571d239ef4f42f075df0a90c68e206f980ff8ac235f702936a4c986e7b19a20cb53a585e73dbe7d9afe244533dc7615ed0fa271644c652e816845a70203010001300d06092a864886f70d010102050003818100bb4c122bcf2c26004f1413dda6fbfc0a11848cf3281c67922f7cb6c5fadff0e895bc1d8f6c2ca851cc73d8a4c053f04ed626c076015781925e21f1d1b1ffe7d02158cd6917e3441c9c194439895cdc9c000f568d0299eda290454ce4bb10a43df032030ef1cef8e8c9518ce6629fe69fc07db7729cc9363a6b9f4ea8ff640d64	INSTAL~1.EXE

Suspicious behavior: EnumeratesProcesses 6 IoCs

Processes:

pid	Process
4300	register.exe
4300	register.exe
1800	setup.exe
1800	setup.exe
1616	DCR.exe
1616	DCR.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

setup.exeDCR.exe

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4536	setup.exe
Token: SeSecurityPrivilege	4536	setup.exe
Token: SeTakeOwnershipPrivilege	4536	setup.exe
Token: SeLoadDriverPrivilege	4536	setup.exe
Token: SeSystemProfilePrivilege	4536	setup.exe
Token: SeSystemtimePrivilege	4536	setup.exe
Token: SeProfSingleProcessPrivilege	4536	setup.exe
Token: SeIncBasePriorityPrivilege	4536	setup.exe
Token: SeCreatePagefilePrivilege	4536	setup.exe
Token: SeBackupPrivilege	4536	setup.exe
Token: SeRestorePrivilege	4536	setup.exe
Token: SeShutdownPrivilege	4536	setup.exe
Token: SeDebugPrivilege	4536	setup.exe
Token: SeSystemEnvironmentPrivilege	4536	setup.exe
Token: SeChangeNotifyPrivilege	4536	setup.exe
Token: SeRemoteShutdownPrivilege	4536	setup.exe
Token: SeUndockPrivilege	4536	setup.exe
Token: SeManageVolumePrivilege	4536	setup.exe
Token: SeImpersonatePrivilege	4536	setup.exe
Token: SeCreateGlobalPrivilege	4536	setup.exe
Token: 33	4536	setup.exe
Token: 34	4536	setup.exe
Token: 35	4536	setup.exe
Token: 36	4536	setup.exe
Token: SeIncreaseQuotaPrivilege	2236	DCR.exe
Token: SeSecurityPrivilege	2236	DCR.exe
Token: SeTakeOwnershipPrivilege	2236	DCR.exe
Token: SeLoadDriverPrivilege	2236	DCR.exe
Token: SeSystemProfilePrivilege	2236	DCR.exe
Token: SeSystemtimePrivilege	2236	DCR.exe
Token: SeProfSingleProcessPrivilege	2236	DCR.exe
Token: SeIncBasePriorityPrivilege	2236	DCR.exe
Token: SeCreatePagefilePrivilege	2236	DCR.exe
Token: SeBackupPrivilege	2236	DCR.exe
Token: SeRestorePrivilege	2236	DCR.exe
Token: SeShutdownPrivilege	2236	DCR.exe
Token: SeDebugPrivilege	2236	DCR.exe
Token: SeSystemEnvironmentPrivilege	2236	DCR.exe
Token: SeChangeNotifyPrivilege	2236	DCR.exe
Token: SeRemoteShutdownPrivilege	2236	DCR.exe
Token: SeUndockPrivilege	2236	DCR.exe
Token: SeManageVolumePrivilege	2236	DCR.exe
Token: SeImpersonatePrivilege	2236	DCR.exe
Token: SeCreateGlobalPrivilege	2236	DCR.exe
Token: 33	2236	DCR.exe
Token: 34	2236	DCR.exe
Token: 35	2236	DCR.exe
Token: 36	2236	DCR.exe

Suspicious use of SetWindowsHookEx 4 IoCs

Processes:

pid	Process
4888	register.exe
4700	INSTAL~1.exe
4700	INSTAL~1.exe
2236	DCR.exe

Suspicious use of WriteProcessMemory 62 IoCs

Processes:

934848d0db1061bcedac028bbdf3fcff_JaffaCakes118.exesetup.exeregister.exeregister.exesetup.exesetup.exeDCR.exeINSTAL~1.EXE

description	pid	Process	procid_target
PID 3240 wrote to memory of 3824	3240	934848d0db1061bcedac028bbdf3fcff_JaffaCakes118.exe	84
PID 3240 wrote to memory of 3824	3240	934848d0db1061bcedac028bbdf3fcff_JaffaCakes118.exe	84
PID 3240 wrote to memory of 3824	3240	934848d0db1061bcedac028bbdf3fcff_JaffaCakes118.exe	84
PID 3824 wrote to memory of 4300	3824	setup.exe	86
PID 3824 wrote to memory of 4300	3824	setup.exe	86
PID 3824 wrote to memory of 4300	3824	setup.exe	86
PID 4300 wrote to memory of 4888	4300	register.exe	89
PID 4300 wrote to memory of 4888	4300	register.exe	89
PID 4300 wrote to memory of 4888	4300	register.exe	89
PID 4300 wrote to memory of 4888	4300	register.exe	89
PID 4300 wrote to memory of 4888	4300	register.exe	89
PID 4300 wrote to memory of 4888	4300	register.exe	89
PID 4300 wrote to memory of 4888	4300	register.exe	89
PID 4300 wrote to memory of 4888	4300	register.exe	89
PID 4888 wrote to memory of 2680	4888	register.exe	90
PID 4888 wrote to memory of 2680	4888	register.exe	90
PID 4888 wrote to memory of 2680	4888	register.exe	90
PID 4888 wrote to memory of 2680	4888	register.exe	90
PID 4888 wrote to memory of 2680	4888	register.exe	90
PID 4888 wrote to memory of 2680	4888	register.exe	90
PID 4888 wrote to memory of 2680	4888	register.exe	90
PID 4888 wrote to memory of 2680	4888	register.exe	90
PID 3824 wrote to memory of 1800	3824	setup.exe	95
PID 3824 wrote to memory of 1800	3824	setup.exe	95
PID 3824 wrote to memory of 1800	3824	setup.exe	95
PID 1800 wrote to memory of 4536	1800	setup.exe	97
PID 1800 wrote to memory of 4536	1800	setup.exe	97
PID 1800 wrote to memory of 4536	1800	setup.exe	97
PID 1800 wrote to memory of 4536	1800	setup.exe	97
PID 1800 wrote to memory of 4536	1800	setup.exe	97
PID 1800 wrote to memory of 4536	1800	setup.exe	97
PID 1800 wrote to memory of 4536	1800	setup.exe	97
PID 1800 wrote to memory of 4536	1800	setup.exe	97
PID 1800 wrote to memory of 4536	1800	setup.exe	97
PID 1800 wrote to memory of 4536	1800	setup.exe	97
PID 1800 wrote to memory of 4536	1800	setup.exe	97
PID 1800 wrote to memory of 4536	1800	setup.exe	97
PID 1800 wrote to memory of 4536	1800	setup.exe	97
PID 1800 wrote to memory of 4536	1800	setup.exe	97
PID 4536 wrote to memory of 1616	4536	setup.exe	98
PID 4536 wrote to memory of 1616	4536	setup.exe	98
PID 4536 wrote to memory of 1616	4536	setup.exe	98
PID 3240 wrote to memory of 840	3240	934848d0db1061bcedac028bbdf3fcff_JaffaCakes118.exe	100
PID 3240 wrote to memory of 840	3240	934848d0db1061bcedac028bbdf3fcff_JaffaCakes118.exe	100
PID 3240 wrote to memory of 840	3240	934848d0db1061bcedac028bbdf3fcff_JaffaCakes118.exe	100
PID 1616 wrote to memory of 2236	1616	DCR.exe	101
PID 1616 wrote to memory of 2236	1616	DCR.exe	101
PID 1616 wrote to memory of 2236	1616	DCR.exe	101
PID 840 wrote to memory of 4700	840	INSTAL~1.EXE	102
PID 840 wrote to memory of 4700	840	INSTAL~1.EXE	102
PID 840 wrote to memory of 4700	840	INSTAL~1.EXE	102
PID 1616 wrote to memory of 2236	1616	DCR.exe	101
PID 1616 wrote to memory of 2236	1616	DCR.exe	101
PID 1616 wrote to memory of 2236	1616	DCR.exe	101
PID 1616 wrote to memory of 2236	1616	DCR.exe	101
PID 1616 wrote to memory of 2236	1616	DCR.exe	101
PID 1616 wrote to memory of 2236	1616	DCR.exe	101
PID 1616 wrote to memory of 2236	1616	DCR.exe	101
PID 1616 wrote to memory of 2236	1616	DCR.exe	101
PID 1616 wrote to memory of 2236	1616	DCR.exe	101
PID 1616 wrote to memory of 2236	1616	DCR.exe	101
PID 1616 wrote to memory of 2236	1616	DCR.exe	101

C:\Users\Admin\AppData\Local\Temp\934848d0db1061bcedac028bbdf3fcff_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\934848d0db1061bcedac028bbdf3fcff_JaffaCakes118.exe"
1⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3240
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup.exe
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup.exe
  2⤵
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:3824
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\register.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\register.exe
    3⤵
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:4300
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\register.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\register.exe
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:4888
    - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\register.exe
        
        /scomma "C:\Users\Admin\AppData\Local\Temp\kpv44eMI6n.ini"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2680
- - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\setup.exe
    C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\setup.exe
    3⤵
    - Executes dropped EXE
    - Identifies Wine through registry keys
    - Adds Run key to start application
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of WriteProcessMemory
    PID:1800
  - - C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\setup.exe
      C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\setup.exe
      4⤵
      Modifies WinLogon for persistence
      Checks computer location settings
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of WriteProcessMemory
      PID:4536
    - - C:\Users\Admin\AppData\Roaming\ANZ\DCR.exe
        
        "C:\Users\Admin\AppData\Roaming\ANZ\DCR.exe"
        5⤵
        Executes dropped EXE
        Identifies Wine through registry keys
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious behavior: EnumeratesProcesses
        Suspicious use of WriteProcessMemory
        
        PID:1616
      - C:\Users\Admin\AppData\Roaming\ANZ\DCR.exe
        
        C:\Users\Admin\AppData\Roaming\ANZ\DCR.exe
        6⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:2236
- C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE
  C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE
  2⤵
  - Checks computer location settings
  - Executes dropped EXE
  - System Location Discovery: System Language Discovery
  - Modifies system certificate store
  - Suspicious use of WriteProcessMemory
  PID:840
- - C:\Users\Admin\AppData\Local\Temp\INSTAL~1.exe
    "C:\Users\Admin\AppData\Local\Temp\INSTAL~1.exe" {RemoveFile:C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE}
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:4700

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Virtualization/Sandbox Evasion

T1497

Credential Access

Credentials from Password Stores

T1555

Credentials from Web Browsers

T1555.003

Unsecured Credentials

T1552

Credentials In Files

T1552.001

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Virtualization/Sandbox Evasion

T1497

Lateral Movement

Collection

Data from Local System

T1005

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\60E31627FDA0A46932B0E5948949F2A5

Filesize
1KB

MD5
1ba25895dc793e6826cbe8d61ddd8293

SHA1
6387cc55cbe9f71ae41b2425192b900a1eb3a54f

SHA256
cc4c5c999ca59e5a62bc3ffe172a61f8cf13cc18c89fe48f628ff2a75bdc508a

SHA512
1ff9b34fdbeae98fa8b534ba12501eb6df983cc67ce4f8ffc4c1ff12631aa8ed36ff349c39a2186e0ac8d9809437106578a746eec3854b54fef38a3cc0adb957

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\62B5AF9BE9ADC1085C3C56EC07A82BF6

Filesize
80KB

MD5
fd8dc0d175accbcfbd8e8e3fe98b7d29

SHA1
b60d545bbe675fd46fd1493c01c2f5e48b0186de

SHA256
92030a2fe9c738415b32ae12a7d9e9773c32fb337c9daf8fe0469dc9c66f04c6

SHA512
fa7a4e9fde9a86af0cd0e5c76864f534add2ac2b5c3773e96417716ce04a2718755df47990037dcafe6dc79c6f0973158341decd26e587b282aea0ea11e7ae54

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7B8944BA8AD0EFDF0E01A43EF62BECD0_4069BD6CA0A97DCB6D4110B1A16AB213

Filesize
5B

MD5
5bfa51f3a417b98e7443eca90fc94703

SHA1
8c015d80b8a23f780bdd215dc842b0f5551f63bd

SHA256
bebe2853a3485d1c2e5c5be4249183e0ddaff9f87de71652371700a89d937128

SHA512
4cd03686254bb28754cbaa635ae1264723e2be80ce1dd0f78d1ab7aee72232f5b285f79e488e9c5c49ff343015bd07bb8433d6cee08ae3cea8c317303e3ac399

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\60E31627FDA0A46932B0E5948949F2A5

Filesize
182B

MD5
28b3c2321ed96e40329128e03ec0e209

SHA1
2ef99a4a1c7d1380bd68a940df500b85c362e0e8

SHA256
f4bf1b623d0a7ee2a8b3daff845cb299028346d597aebd73c8d1d4733e68e990

SHA512
aa272f40030a025e123e08dd8e38f214074110fe2e73e477afee15799a152a611f06448d0a6a53775003d634ec2a23822108f6929b030aee188694b5d1d644ea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\62B5AF9BE9ADC1085C3C56EC07A82BF6

Filesize
212B

MD5
e6ba1b4c466534e1e0bc635a2e4d3ae8

SHA1
1344188a126631185ec825f9062994a70fe08c3c

SHA256
b5dd4a10f50699b62f8533ad33f4e897b1af1e4d1d73e97489b7fa73010c1ec1

SHA512
27283a688bf3c8d78e4b5a3b74839803e57eeae7d1afc4094365f16ac18e2ffcf6e1a5e2a529b6e6679e0234318e33622cbfac655e9d8ad368ce81bca60015ef

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7B8944BA8AD0EFDF0E01A43EF62BECD0_4069BD6CA0A97DCB6D4110B1A16AB213

Filesize
404B

MD5
bc10420b96526b1f61a86e676391f18a

SHA1
d8b2db2c7edaa3a2ddee3d655b3e551e1baa1029

SHA256
ddda1420dbc7bcb592b9c52035b3d03ac1999806b97c02ec2a826163354b2b11

SHA512
2b790c11bd9d38a47b4e8bc8b0d9e95ec340a679bd49211a010a507e9c28e2da97984c976605e85e46b8f54ef5088dd2cd9f9a44bb87ee1dc73e68478ccc9617

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\D47DBD2F9E3365FBBE008D71FB06716F_DBC0394482C86DF73874BFA8B90905A8

Filesize
404B

MD5
794df7c2403ff57de9274c880bd3eb29

SHA1
82bc596118844c1e43f5e2cc5f617a712c512a50

SHA256
73b79e53a6655d56914fe299d01c45211d7e525baac949929bb5226e7a08f94a

SHA512
a07703d777849f151c3e3f131b15020fa4ab6eabfb1eb9dc2bfbe8e383e2829e61f87f8cffb657b207d908a6b0804a172948145fd7fabb939e6dbd976ba240c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\INSTAL~1.EXE

Filesize
777KB

MD5
a61eb98cfd655c2241639b9a00e89d35

SHA1
16ed8b3ae464c17f8538da40ab40b1071d29b7f8

SHA256
9a53363897b57224ba7d2b3e120d517f6943e4877fb36eb95fe012c766285c2e

SHA512
b46f92de331673bd25679b801e6459b2b9380a62d177174305bfa4afa18829ef9d9250749dc95c8cb40c6b0a71beade7cb18437030372d7e3bcae405fc2f9f12

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP000.TMP\setup.exe

Filesize
1011KB

MD5
5de573deb7bda9c2809f3aadc477754a

SHA1
9bec057a1784ed111d9088c15a80a79dfeb73d36

SHA256
fd3492b64c3a36d9dba2e6547df9978906bd3a6fc7757e636312b598bee2e9bc

SHA512
02f84d8fc659a34d9541e504154fcc861a64cc880722bc99d59508aa2d051d118a1bf2ba839cd3f2addbcc68bc0ef0ae95b1fdb7423e94de47038b25d0928400

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\register.exe

Filesize
292KB

MD5
d2dda4e2bc7c908eca70cef2b4fe8536

SHA1
079ceeae56d4e8e3d50d25e95be4b2b121580746

SHA256
8c98384c3fc340bfcd6b5660f871618024293f168a75a729a8fef13ccf660a92

SHA512
94cd0d15860624b7d2c37d63fd9959ad86578809c7c2aba25f03ff9d215ee3ffb350deae737cf0e6f640b1bbc235d156ddfc427312f6f7e436855dcd700fe5b2

Download Submit
C:\Users\Admin\AppData\Local\Temp\IXP001.TMP\setup.exe

Filesize
744KB

MD5
9953ae7cc3e1304182196ccf5210c6b3

SHA1
2280da98414d206e67cfda878565a94460cd1cbc

SHA256
cc38f0be7593dc1081da6cee2b4a855b3611691bc82d2c17acc89b5eb1a212ca

SHA512
2ed676c97e2eac66aba42faa6f6182c924704fccb22f5f47bd898fa930291611c1c6548497e34e57019de3c66393c65168d880b87dc5f5aef2a8de7d79966fb8

Download Submit
C:\Users\Admin\AppData\Local\Temp\kpv44eMI6n.ini

Filesize
5B

MD5
d1ea279fb5559c020a1b4137dc4de237

SHA1
db6f8988af46b56216a6f0daf95ab8c9bdb57400

SHA256
fcdcc2c46896915a1c695d6231f0fee336a668531b7a3da46178c80362546dba

SHA512
720e9c284f0559015312df7fe977563e5e16f48d3506e51eb4016adf7971924d352f740b030aa3adc81b6f65fd1dba12df06d10fa6c115074e5097e7ee0f08b3

Download Submit
memory/840-85-0x0000000000EF0000-0x0000000000F68000-memory.dmp

Filesize
480KB

Download
memory/840-54-0x0000000000EF0000-0x0000000000F68000-memory.dmp

Filesize
480KB

Download
memory/2236-96-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2236-237-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2236-233-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2236-229-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2236-225-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2236-217-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2236-98-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2236-97-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/2680-22-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2680-30-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2680-26-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2680-25-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/2680-24-0x0000000000400000-0x0000000000453000-memory.dmp

Filesize
332KB

Download
memory/4536-48-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/4536-34-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/4536-36-0x0000000000400000-0x00000000004B5000-memory.dmp

Filesize
724KB

Download
memory/4700-219-0x0000000000A30000-0x0000000000AA8000-memory.dmp

Filesize
480KB

Download
memory/4700-83-0x0000000000A30000-0x0000000000AA8000-memory.dmp

Filesize
480KB

Download
memory/4888-14-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4888-17-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4888-222-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download
memory/4888-82-0x0000000000400000-0x0000000000435000-memory.dmp

Filesize
212KB

Download