darkcomet | ab7f8227177f84c781322b23009f32e372a53ba826a9a96b36a1ee0145b4e0ae

Analysis

max time kernel
150s
max time network
120s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
08-10-2024 20:12

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
Size

2.5MB
MD5

24ce711ea3798396150d70df3184fdbb
SHA1

d339a73736b7dd931419b56898aeb8cb373cc1e8
SHA256

ab7f8227177f84c781322b23009f32e372a53ba826a9a96b36a1ee0145b4e0ae
SHA512

8a5ccacc7465f7a38f149d2ee3968ecd04b8927711a4aee134803748669fba4afef6fa21615bc48c02031394b89460932ba2a642b9a7fc2d3372b2386868fdbd
SSDEEP

49152:ZeOYNw8+Cu9ifT5KzyrOTFfoPebTxc4w6SkNB9SEruYtUs72/eS:ZjtoVKzyrONoPMqkNBUErBtUs72eS

Score

10^/10

darkcomet latentbot hydra antivirüs discovery evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Hydra Antivirüs

127.0.0.1:1604

hydrahydra1907.zapto.org:1604

Mutex

DC_MUTEX-F1THYT4

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
fDsHmDftmeEj
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Extracted

Family

latentbot

hydrahydra1907.zapto.org

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
LatentBot
Modular trojan written in Delphi which has been in-the-wild since 2013.
trojan latentbot

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exeattrib.exe

pid	Process
1472	attrib.exe
1460	attrib.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exemsdcsc.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	msdcsc.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	msdcsc.exe

Deletes itself 1 IoCs

Processes:

notepad.exe

pid	Process
2688	notepad.exe

Executes dropped EXE 3 IoCs

Processes:

msdcsc.exemsdcsc.exemsdcsc.exe

pid	Process
2792	msdcsc.exe
1376	msdcsc.exe
1148	msdcsc.exe

Loads dropped DLL 4 IoCs

Processes:

24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exemsdcsc.exemsdcsc.exe

pid	Process
2736	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
2736	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
2792	msdcsc.exe
1376	msdcsc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exemsdcsc.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3533259084-2542256011-65585152-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	msdcsc.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exemsdcsc.exe

description	pid	Process	procid_target
PID 1852 set thread context of 2736	1852	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	32
PID 1376 set thread context of 1148	1376	msdcsc.exe	42

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

msdcsc.exeattrib.exe24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exenotepad.execmd.exemsdcsc.exeattrib.exe24ce711ea3798396150d70df3184fdbb_JaffaCakes118.execmd.exemsdcsc.exenotepad.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe

Modifies registry class 5 IoCs

Processes:

24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D06818FC-4374-8FAD-76B6-BC3885DF62D8}\ = "Microsoft COM+ Services Meta Data"	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D06818FC-4374-8FAD-76B6-BC3885DF62D8}\InprocServer32	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D06818FC-4374-8FAD-76B6-BC3885DF62D8}\InprocServer32\ = "%systemroot%\\SysWow64\\clbcatq.dll"	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D06818FC-4374-8FAD-76B6-BC3885DF62D8}\InprocServer32\ThreadingModel = "Both"	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{D06818FC-4374-8FAD-76B6-BC3885DF62D8}	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe

NTFS ADS 3 IoCs

Processes:

24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exemsdcsc.exe

description	ioc	Process
File created	C:\ProgramData\TEMP:E0EC633E	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
File opened for modification	C:\ProgramData\TEMP:E0EC633E	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
File opened for modification	C:\ProgramData\TEMP:E0EC633E	msdcsc.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

msdcsc.exe

pid	Process
1148	msdcsc.exe

Suspicious use of AdjustPrivilegeToken 54 IoCs

Processes:

24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exemsdcsc.exemsdcsc.exe

description	pid	Process
Token: 33	1852	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1852	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
Token: 33	1852	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	1852	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2736	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
Token: SeSecurityPrivilege	2736	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2736	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2736	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	2736	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2736	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	2736	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2736	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	2736	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
Token: SeBackupPrivilege	2736	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
Token: SeRestorePrivilege	2736	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
Token: SeShutdownPrivilege	2736	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
Token: SeDebugPrivilege	2736	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	2736	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	2736	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	2736	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
Token: SeUndockPrivilege	2736	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
Token: SeManageVolumePrivilege	2736	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
Token: SeImpersonatePrivilege	2736	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	2736	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
Token: 33	2736	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
Token: 34	2736	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
Token: 35	2736	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
Token: 33	1376	msdcsc.exe
Token: SeIncBasePriorityPrivilege	1376	msdcsc.exe
Token: 33	1376	msdcsc.exe
Token: SeIncBasePriorityPrivilege	1376	msdcsc.exe
Token: SeIncreaseQuotaPrivilege	1148	msdcsc.exe
Token: SeSecurityPrivilege	1148	msdcsc.exe
Token: SeTakeOwnershipPrivilege	1148	msdcsc.exe
Token: SeLoadDriverPrivilege	1148	msdcsc.exe
Token: SeSystemProfilePrivilege	1148	msdcsc.exe
Token: SeSystemtimePrivilege	1148	msdcsc.exe
Token: SeProfSingleProcessPrivilege	1148	msdcsc.exe
Token: SeIncBasePriorityPrivilege	1148	msdcsc.exe
Token: SeCreatePagefilePrivilege	1148	msdcsc.exe
Token: SeBackupPrivilege	1148	msdcsc.exe
Token: SeRestorePrivilege	1148	msdcsc.exe
Token: SeShutdownPrivilege	1148	msdcsc.exe
Token: SeDebugPrivilege	1148	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	1148	msdcsc.exe
Token: SeChangeNotifyPrivilege	1148	msdcsc.exe
Token: SeRemoteShutdownPrivilege	1148	msdcsc.exe
Token: SeUndockPrivilege	1148	msdcsc.exe
Token: SeManageVolumePrivilege	1148	msdcsc.exe
Token: SeImpersonatePrivilege	1148	msdcsc.exe
Token: SeCreateGlobalPrivilege	1148	msdcsc.exe
Token: 33	1148	msdcsc.exe
Token: 34	1148	msdcsc.exe
Token: 35	1148	msdcsc.exe

Suspicious use of SetWindowsHookEx 3 IoCs

Processes:

24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exemsdcsc.exemsdcsc.exe

pid	Process
1852	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
1376	msdcsc.exe
1148	msdcsc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe

description	pid	Process	procid_target
PID 1732 wrote to memory of 1852	1732	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	30
PID 1732 wrote to memory of 1852	1732	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	30
PID 1732 wrote to memory of 1852	1732	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	30
PID 1732 wrote to memory of 1852	1732	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	30
PID 1732 wrote to memory of 1852	1732	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	30
PID 1732 wrote to memory of 1852	1732	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	30
PID 1732 wrote to memory of 1852	1732	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	30
PID 1732 wrote to memory of 1852	1732	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	30
PID 1732 wrote to memory of 1852	1732	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	30
PID 1732 wrote to memory of 1852	1732	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	30
PID 1732 wrote to memory of 1852	1732	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	30
PID 1732 wrote to memory of 1852	1732	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	30
PID 1732 wrote to memory of 1852	1732	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	30
PID 1732 wrote to memory of 1852	1732	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	30
PID 1732 wrote to memory of 1852	1732	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	30
PID 1732 wrote to memory of 1852	1732	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	30
PID 1732 wrote to memory of 1852	1732	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	30
PID 1732 wrote to memory of 1852	1732	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	30
PID 1732 wrote to memory of 1852	1732	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	30
PID 1732 wrote to memory of 1852	1732	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	30
PID 1732 wrote to memory of 1852	1732	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	30
PID 1732 wrote to memory of 1852	1732	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	30
PID 1732 wrote to memory of 1852	1732	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	30
PID 1732 wrote to memory of 1852	1732	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	30
PID 1732 wrote to memory of 1852	1732	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	30
PID 1732 wrote to memory of 1852	1732	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	30
PID 1732 wrote to memory of 1852	1732	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	30
PID 1732 wrote to memory of 1852	1732	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	30
PID 1732 wrote to memory of 1852	1732	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	30
PID 1732 wrote to memory of 1852	1732	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	30
PID 1732 wrote to memory of 1852	1732	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	30
PID 1732 wrote to memory of 1852	1732	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	30
PID 1732 wrote to memory of 1852	1732	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	30
PID 1732 wrote to memory of 1852	1732	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	30
PID 1732 wrote to memory of 1852	1732	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	30
PID 1732 wrote to memory of 1852	1732	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	30
PID 1732 wrote to memory of 1852	1732	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	30
PID 1732 wrote to memory of 1852	1732	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	30
PID 1732 wrote to memory of 1852	1732	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	30
PID 1732 wrote to memory of 1852	1732	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	30
PID 1732 wrote to memory of 1852	1732	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	30
PID 1732 wrote to memory of 1852	1732	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	30
PID 1732 wrote to memory of 1852	1732	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	30
PID 1732 wrote to memory of 1852	1732	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	30
PID 1732 wrote to memory of 1852	1732	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	30
PID 1732 wrote to memory of 1852	1732	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	30
PID 1732 wrote to memory of 1852	1732	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	30
PID 1732 wrote to memory of 1852	1732	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	30
PID 1732 wrote to memory of 1852	1732	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	30
PID 1732 wrote to memory of 1852	1732	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	30
PID 1852 wrote to memory of 2736	1852	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	32
PID 1852 wrote to memory of 2736	1852	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	32
PID 1852 wrote to memory of 2736	1852	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	32
PID 1852 wrote to memory of 2736	1852	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	32
PID 1732 wrote to memory of 1852	1732	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	30
PID 1732 wrote to memory of 1852	1732	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	30
PID 1852 wrote to memory of 2736	1852	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	32
PID 1732 wrote to memory of 1852	1732	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	30
PID 1852 wrote to memory of 2736	1852	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	32
PID 1732 wrote to memory of 1852	1732	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	30
PID 1852 wrote to memory of 2736	1852	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	32
PID 1852 wrote to memory of 2736	1852	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	32
PID 1852 wrote to memory of 2736	1852	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	32
PID 1852 wrote to memory of 2736	1852	24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe	32

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exeattrib.exe

pid	Process
1460	attrib.exe
1472	attrib.exe

C:\Users\Admin\AppData\Local\Temp\24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1732
- C:\Users\Admin\AppData\Local\Temp\24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe"
  2⤵
  - Checks BIOS information in registry
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - NTFS ADS
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1852
- - C:\Users\Admin\AppData\Local\Temp\24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
    C:\Users\Admin\AppData\Local\Temp\24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe
    3⤵
    - Modifies WinLogon for persistence
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2736
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe" +s +h
      4⤵
      System Location Discovery: System Language Discovery
      PID:2624
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Users\Admin\AppData\Local\Temp\24ce711ea3798396150d70df3184fdbb_JaffaCakes118.exe" +s +h
        5⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:1460
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
      4⤵
      System Location Discovery: System Language Discovery
      PID:2664
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
        5⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:1472
  - - C:\Windows\SysWOW64\notepad.exe
      notepad
      4⤵
      Deletes itself
      System Location Discovery: System Language Discovery
      PID:2688
  - - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
      "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      PID:2792
    - - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        5⤵
        Checks BIOS information in registry
        Executes dropped EXE
        Loads dropped DLL
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        NTFS ADS
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1376
      - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        6⤵
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of AdjustPrivilegeToken
        Suspicious use of SetWindowsHookEx
        
        PID:1148
        
        C:\Windows\SysWOW64\notepad.exe
        
        notepad
        7⤵
        System Location Discovery: System Language Discovery
        
        PID:344

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\TEMP:E0EC633E

Filesize
128B

MD5
be8c82636789027835db2ce6816797db

SHA1
99accf6c947528e297e95f97a4bc94ee4d65761e

SHA256
36b1afe9ffcb9675badc01757b968573b6da5d0fdfb7653f798b57e226f7f4d3

SHA512
a1bf2d0bbe374a68ade5072eb8c2dfe560c65dba0c67ca305f7dc5021a9e2c367a2ebcac03787011804efe95790dce1cc0a537ed1edcaf7224ac2a78f179a252

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
2.5MB

MD5
24ce711ea3798396150d70df3184fdbb

SHA1
d339a73736b7dd931419b56898aeb8cb373cc1e8

SHA256
ab7f8227177f84c781322b23009f32e372a53ba826a9a96b36a1ee0145b4e0ae

SHA512
8a5ccacc7465f7a38f149d2ee3968ecd04b8927711a4aee134803748669fba4afef6fa21615bc48c02031394b89460932ba2a642b9a7fc2d3372b2386868fdbd

Download Submit
memory/1376-151-0x0000000003F10000-0x0000000004307000-memory.dmp

Filesize
4.0MB

Download
memory/1376-109-0x00000000022F0000-0x0000000002432000-memory.dmp

Filesize
1.3MB

Download
memory/1376-115-0x00000000022F0000-0x0000000002432000-memory.dmp

Filesize
1.3MB

Download
memory/1376-117-0x0000000000400000-0x00000000007F7000-memory.dmp

Filesize
4.0MB

Download
memory/1732-38-0x0000000000400000-0x00000000007F7000-memory.dmp

Filesize
4.0MB

Download
memory/1732-1-0x00000000022E0000-0x00000000026D7000-memory.dmp

Filesize
4.0MB

Download
memory/1732-62-0x0000000000400000-0x00000000007F7000-memory.dmp

Filesize
4.0MB

Download
memory/1732-0-0x0000000000400000-0x00000000007F7000-memory.dmp

Filesize
4.0MB

Download
memory/1852-55-0x0000000000400000-0x00000000007F7000-memory.dmp

Filesize
4.0MB

Download
memory/1852-32-0x0000000000400000-0x00000000007F7000-memory.dmp

Filesize
4.0MB

Download
memory/1852-22-0x0000000000400000-0x00000000007F7000-memory.dmp

Filesize
4.0MB

Download
memory/1852-25-0x0000000000400000-0x00000000007F7000-memory.dmp

Filesize
4.0MB

Download
memory/1852-24-0x0000000000400000-0x00000000007F7000-memory.dmp

Filesize
4.0MB

Download
memory/1852-23-0x0000000000400000-0x00000000007F7000-memory.dmp

Filesize
4.0MB

Download
memory/1852-29-0x0000000000400000-0x00000000007F7000-memory.dmp

Filesize
4.0MB

Download
memory/1852-28-0x0000000000400000-0x00000000007F7000-memory.dmp

Filesize
4.0MB

Download
memory/1852-27-0x0000000000400000-0x00000000007F7000-memory.dmp

Filesize
4.0MB

Download
memory/1852-26-0x0000000000400000-0x00000000007F7000-memory.dmp

Filesize
4.0MB

Download
memory/1852-35-0x0000000000400000-0x00000000007F7000-memory.dmp

Filesize
4.0MB

Download
memory/1852-37-0x0000000000400000-0x00000000007F7000-memory.dmp

Filesize
4.0MB

Download
memory/1852-36-0x0000000000400000-0x00000000007F7000-memory.dmp

Filesize
4.0MB

Download
memory/1852-34-0x0000000000400000-0x00000000007F7000-memory.dmp

Filesize
4.0MB

Download
memory/1852-33-0x0000000000400000-0x00000000007F7000-memory.dmp

Filesize
4.0MB

Download
memory/1852-44-0x0000000003F60000-0x0000000004357000-memory.dmp

Filesize
4.0MB

Download
memory/1852-31-0x0000000000400000-0x00000000007F7000-memory.dmp

Filesize
4.0MB

Download
memory/1852-30-0x0000000000400000-0x00000000007F7000-memory.dmp

Filesize
4.0MB

Download
memory/1852-15-0x0000000000400000-0x00000000007F7000-memory.dmp

Filesize
4.0MB

Download
memory/1852-2-0x0000000000400000-0x00000000007F7000-memory.dmp

Filesize
4.0MB

Download
memory/1852-57-0x00000000022E0000-0x0000000002422000-memory.dmp

Filesize
1.3MB

Download
memory/1852-16-0x0000000000400000-0x00000000007F7000-memory.dmp

Filesize
4.0MB

Download
memory/1852-3-0x0000000000601000-0x0000000000602000-memory.dmp

Filesize
4KB

Download
memory/1852-4-0x00000000022E0000-0x0000000002422000-memory.dmp

Filesize
1.3MB

Download
memory/1852-10-0x00000000022E0000-0x0000000002422000-memory.dmp

Filesize
1.3MB

Download
memory/1852-11-0x0000000000400000-0x00000000007F7000-memory.dmp

Filesize
4.0MB

Download
memory/1852-18-0x00000000022E0000-0x0000000002422000-memory.dmp

Filesize
1.3MB

Download
memory/1852-19-0x0000000000400000-0x00000000007F7000-memory.dmp

Filesize
4.0MB

Download
memory/1852-63-0x0000000000400000-0x00000000007F7000-memory.dmp

Filesize
4.0MB

Download
memory/1852-17-0x0000000000400000-0x00000000007F7000-memory.dmp

Filesize
4.0MB

Download
memory/1852-41-0x0000000000400000-0x00000000007F7000-memory.dmp

Filesize
4.0MB

Download
memory/2688-94-0x0000000000150000-0x0000000000151000-memory.dmp

Filesize
4KB

Download
memory/2688-66-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2736-105-0x00000000037E0000-0x0000000003BD7000-memory.dmp

Filesize
4.0MB

Download
memory/2736-53-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/2736-106-0x00000000037E0000-0x0000000003BD7000-memory.dmp

Filesize
4.0MB

Download
memory/2736-64-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/2736-48-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/2736-49-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/2736-42-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/2736-50-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/2736-47-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/2736-45-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/2736-58-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/2736-39-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/2736-51-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2736-46-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/2736-130-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/2736-54-0x0000000000400000-0x00000000004CA000-memory.dmp

Filesize
808KB

Download
memory/2792-108-0x0000000000400000-0x00000000007F7000-memory.dmp

Filesize
4.0MB

Download
memory/2792-116-0x00000000022B0000-0x00000000026A7000-memory.dmp

Filesize
4.0MB

Download
memory/2792-197-0x0000000000400000-0x00000000007F7000-memory.dmp

Filesize
4.0MB

Download