darkcomet | 12528688388179e33f9d0db48bcb68809e5be063239d4b2b3387ed4ba3f174e7

Analysis

max time kernel
122s
max time network
119s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
16-10-2024 08:17

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe
Size

1.8MB
MD5

4c0ddbc263c51cab37967cd30f623418
SHA1

b38d14eec720f3022cb58ef0abd69679b36f6e02
SHA256

12528688388179e33f9d0db48bcb68809e5be063239d4b2b3387ed4ba3f174e7
SHA512

1db7d52efff9f635e0496010bebf2c5f756c31d15a17ccb53f15544fd14c7535b1819530880183c0748995fa4c2c6516e888f5907f95737b4da915a14fc9ed73
SSDEEP

49152:dUwtRKkZcTXvApFMNbUcTtyhW0MTIG2yO:dGvAp9cghhMT21

Score

10^/10

darkcomet discovery persistence rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\nvvsvce.exe"	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe

Checks BIOS information in registry 2 TTPs 4 IoCs

BIOS information is often read in order to detect sandboxing environments.

Query Registry

T1012

System Information Discovery

T1082

Processes:

4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exenvvsvce.exe

description	ioc	Process
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosVersion	nvvsvce.exe
Key value queried	\REGISTRY\MACHINE\HARDWARE\DESCRIPTION\System\SystemBiosDate	nvvsvce.exe

Executes dropped EXE 2 IoCs

Processes:

nvvsvce.exenvvsvce.exe

pid	Process
2892	nvvsvce.exe
2784	nvvsvce.exe

Loads dropped DLL 3 IoCs

Processes:

4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exenvvsvce.exe

pid	Process
2532	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe
2532	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe
2892	nvvsvce.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-312935884-697965778-3955649944-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft Windows Log = "C:\\Users\\Admin\\AppData\\Local\\Temp\\nvvsvce.exe"	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 4 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exenvvsvce.exenvvsvce.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nvvsvce.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	nvvsvce.exe

Modifies registry class 38 IoCs

Processes:

4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exenvvsvce.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A2398789-976F-331D-959F-582F8D2510CA}\InprocServer32	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A2398789-976F-331D-959F-582F8D2510CA}\Version	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A2398789-976F-331D-959F-582F8D2510CA}\znjutb = "iYa\\@oRc^BiPXmvPKHrubH~WvUBOT"	nvvsvce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A2398789-976F-331D-959F-582F8D2510CA}\ProgID\ = "Microsoft.PhotoAcqOptionsDlg.1"	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A2398789-976F-331D-959F-582F8D2510CA}\VersionIndependentProgID\ = "Microsoft.PhotoAcqOptionsDlg"	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A2398789-976F-331D-959F-582F8D2510CA}\SpluqmR = "RBWeXMck~\|_h]eVHDct"	nvvsvce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A2398789-976F-331D-959F-582F8D2510CA}\aphx = "PoZBT]H]kAXXDjulus^"	nvvsvce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A2398789-976F-331D-959F-582F8D2510CA}\znjutb = "iYa\\@oRc^BiPXmvPKBrubH~XA^e~t"	nvvsvce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A2398789-976F-331D-959F-582F8D2510CA}\aphx = "PoZBT]H]k@TXDjulus^"	nvvsvce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A2398789-976F-331D-959F-582F8D2510CA}\znjutb = "iYa\\@oRc^BiPXmvPKGrubH~VeFg{d"	nvvsvce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A2398789-976F-331D-959F-582F8D2510CA}\znjutb = "iYa\\@oRc^BiPXmvPKNrubH~ZQ}uD\\"	nvvsvce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A2398789-976F-331D-959F-582F8D2510CA}\znjutb = "iYa\\@oRc^BiPXmvPKOrubH~YmZcdH"	nvvsvce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A2398789-976F-331D-959F-582F8D2510CA}\TypeLib\ = "{00f25ae8-3625-4e34-92d4-f0918cf010ee}"	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A2398789-976F-331D-959F-582F8D2510CA}\ufMzHybiccFq = "IxwLdfHwaMnP`~EFMM"	nvvsvce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A2398789-976F-331D-959F-582F8D2510CA}\znjutb = "iYa\\@oRc^BiPXmvPKCrubH~\\YdT]T"	nvvsvce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A2398789-976F-331D-959F-582F8D2510CA}\znjutb = "iYa\\@oRc^BiPXmvPKLrubH~ZwtNOX"	nvvsvce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A2398789-976F-331D-959F-582F8D2510CA}\InprocServer32\ = "%ProgramFiles(x86)%\\Windows Photo Viewer\\PhotoAcq.dll"	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A2398789-976F-331D-959F-582F8D2510CA}\ujetkcy = "uCup\|[NAWVhcQvqqgPvfsgN"	nvvsvce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A2398789-976F-331D-959F-582F8D2510CA}\aphx = "PoYBT]H]kAHXDjulus^"	nvvsvce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A2398789-976F-331D-959F-582F8D2510CA}\aphx = "PoZBT]H]kAHXDjulus^"	nvvsvce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A2398789-976F-331D-959F-582F8D2510CA}\TypeLib	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A2398789-976F-331D-959F-582F8D2510CA}\aphx = "PoZBT]H]kAhXDjulus^"	nvvsvce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A2398789-976F-331D-959F-582F8D2510CA}\znjutb = "iYa\\@oRc^BiPXmvPKMrubH~YKSXoL"	nvvsvce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A2398789-976F-331D-959F-582F8D2510CA}\aphx = "PoZBT]H]k@dXDjulus^"	nvvsvce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A2398789-976F-331D-959F-582F8D2510CA}\Version\ = "1.0"	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A2398789-976F-331D-959F-582F8D2510CA}\rxalxvaCSZvi = "sswu}_^VG`NyHGHnFrE"	nvvsvce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A2398789-976F-331D-959F-582F8D2510CA}\aphx = "PoZBT]H]kAvXDjulus^"	nvvsvce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A2398789-976F-331D-959F-582F8D2510CA}\aphx = "PoZBT]H]k@EXDjulus^"	nvvsvce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A2398789-976F-331D-959F-582F8D2510CA}\yzLtcfM = "DSWeNwv^{rcavBEwxv^cAk@U"	nvvsvce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A2398789-976F-331D-959F-582F8D2510CA}\rxalxvaCSZvi = "sswu}_^VG`NyHDHnFrE"	nvvsvce.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A2398789-976F-331D-959F-582F8D2510CA}	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A2398789-976F-331D-959F-582F8D2510CA}\ = "PhotoAcquireOptionsDialog"	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A2398789-976F-331D-959F-582F8D2510CA}\InprocServer32\ThreadingModel = "Apartment"	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A2398789-976F-331D-959F-582F8D2510CA}\ProgID	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A2398789-976F-331D-959F-582F8D2510CA}\VersionIndependentProgID	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A2398789-976F-331D-959F-582F8D2510CA}\zglndiswRf = "xa@jWhRtlI\|ot@CI"	nvvsvce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A2398789-976F-331D-959F-582F8D2510CA}\znjutb = "iYa\\@oRc^BiPXmvPK@rubH~Xw~yRH"	nvvsvce.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Classes\Wow6432Node\CLSID\{A2398789-976F-331D-959F-582F8D2510CA}\aphx = "PoZBT]H]kAgXDjulus^"	nvvsvce.exe

NTFS ADS 2 IoCs

Processes:

nvvsvce.exe

description	ioc	Process
File created	C:\ProgramData\TEMP:657F2AC8	nvvsvce.exe
File opened for modification	C:\ProgramData\TEMP:657F2AC8	nvvsvce.exe

Suspicious use of AdjustPrivilegeToken 54 IoCs

Processes:

4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exenvvsvce.exe

description	pid	Process
Token: 33	2532	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2532	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe
Token: 33	2532	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2532	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2532	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe
Token: SeSecurityPrivilege	2532	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2532	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2532	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	2532	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2532	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	2532	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2532	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	2532	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe
Token: SeBackupPrivilege	2532	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe
Token: SeRestorePrivilege	2532	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe
Token: SeShutdownPrivilege	2532	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe
Token: SeDebugPrivilege	2532	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	2532	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	2532	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	2532	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe
Token: SeUndockPrivilege	2532	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe
Token: SeManageVolumePrivilege	2532	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe
Token: SeImpersonatePrivilege	2532	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	2532	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe
Token: 33	2532	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe
Token: 34	2532	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe
Token: 35	2532	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe
Token: 33	2784	nvvsvce.exe
Token: SeIncBasePriorityPrivilege	2784	nvvsvce.exe
Token: 33	2784	nvvsvce.exe
Token: SeIncBasePriorityPrivilege	2784	nvvsvce.exe
Token: SeIncreaseQuotaPrivilege	2784	nvvsvce.exe
Token: SeSecurityPrivilege	2784	nvvsvce.exe
Token: SeTakeOwnershipPrivilege	2784	nvvsvce.exe
Token: SeLoadDriverPrivilege	2784	nvvsvce.exe
Token: SeSystemProfilePrivilege	2784	nvvsvce.exe
Token: SeSystemtimePrivilege	2784	nvvsvce.exe
Token: SeProfSingleProcessPrivilege	2784	nvvsvce.exe
Token: SeIncBasePriorityPrivilege	2784	nvvsvce.exe
Token: SeCreatePagefilePrivilege	2784	nvvsvce.exe
Token: SeBackupPrivilege	2784	nvvsvce.exe
Token: SeRestorePrivilege	2784	nvvsvce.exe
Token: SeShutdownPrivilege	2784	nvvsvce.exe
Token: SeDebugPrivilege	2784	nvvsvce.exe
Token: SeSystemEnvironmentPrivilege	2784	nvvsvce.exe
Token: SeChangeNotifyPrivilege	2784	nvvsvce.exe
Token: SeRemoteShutdownPrivilege	2784	nvvsvce.exe
Token: SeUndockPrivilege	2784	nvvsvce.exe
Token: SeManageVolumePrivilege	2784	nvvsvce.exe
Token: SeImpersonatePrivilege	2784	nvvsvce.exe
Token: SeCreateGlobalPrivilege	2784	nvvsvce.exe
Token: 33	2784	nvvsvce.exe
Token: 34	2784	nvvsvce.exe
Token: 35	2784	nvvsvce.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

nvvsvce.exe

pid	Process
2784	nvvsvce.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe

description	pid	Process	procid_target
PID 1152 wrote to memory of 2532	1152	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe	31
PID 1152 wrote to memory of 2532	1152	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe	31
PID 1152 wrote to memory of 2532	1152	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe	31
PID 1152 wrote to memory of 2532	1152	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe	31
PID 1152 wrote to memory of 2532	1152	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe	31
PID 1152 wrote to memory of 2532	1152	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe	31
PID 1152 wrote to memory of 2532	1152	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe	31
PID 1152 wrote to memory of 2532	1152	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe	31
PID 1152 wrote to memory of 2532	1152	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe	31
PID 1152 wrote to memory of 2532	1152	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe	31
PID 1152 wrote to memory of 2532	1152	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe	31
PID 1152 wrote to memory of 2532	1152	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe	31
PID 1152 wrote to memory of 2532	1152	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe	31
PID 1152 wrote to memory of 2532	1152	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe	31
PID 1152 wrote to memory of 2532	1152	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe	31
PID 1152 wrote to memory of 2532	1152	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe	31
PID 1152 wrote to memory of 2532	1152	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe	31
PID 1152 wrote to memory of 2532	1152	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe	31
PID 1152 wrote to memory of 2532	1152	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe	31
PID 1152 wrote to memory of 2532	1152	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe	31
PID 1152 wrote to memory of 2532	1152	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe	31
PID 1152 wrote to memory of 2532	1152	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe	31
PID 1152 wrote to memory of 2532	1152	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe	31
PID 1152 wrote to memory of 2532	1152	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe	31
PID 1152 wrote to memory of 2532	1152	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe	31
PID 1152 wrote to memory of 2532	1152	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe	31
PID 1152 wrote to memory of 2532	1152	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe	31
PID 1152 wrote to memory of 2532	1152	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe	31
PID 1152 wrote to memory of 2532	1152	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe	31
PID 1152 wrote to memory of 2532	1152	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe	31
PID 1152 wrote to memory of 2532	1152	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe	31
PID 1152 wrote to memory of 2532	1152	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe	31
PID 1152 wrote to memory of 2532	1152	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe	31
PID 1152 wrote to memory of 2532	1152	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe	31
PID 1152 wrote to memory of 2532	1152	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe	31
PID 1152 wrote to memory of 2532	1152	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe	31
PID 1152 wrote to memory of 2532	1152	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe	31
PID 1152 wrote to memory of 2532	1152	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe	31
PID 1152 wrote to memory of 2532	1152	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe	31
PID 1152 wrote to memory of 2532	1152	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe	31
PID 1152 wrote to memory of 2532	1152	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe	31
PID 1152 wrote to memory of 2532	1152	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe	31
PID 1152 wrote to memory of 2532	1152	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe	31
PID 1152 wrote to memory of 2532	1152	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe	31
PID 1152 wrote to memory of 2532	1152	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe	31
PID 1152 wrote to memory of 2532	1152	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe	31
PID 1152 wrote to memory of 2532	1152	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe	31
PID 1152 wrote to memory of 2532	1152	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe	31
PID 1152 wrote to memory of 2532	1152	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe	31
PID 1152 wrote to memory of 2532	1152	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe	31
PID 1152 wrote to memory of 2532	1152	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe	31
PID 1152 wrote to memory of 2532	1152	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe	31
PID 1152 wrote to memory of 2532	1152	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe	31
PID 1152 wrote to memory of 2532	1152	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe	31
PID 1152 wrote to memory of 2532	1152	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe	31
PID 1152 wrote to memory of 2532	1152	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe	31
PID 1152 wrote to memory of 2532	1152	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe	31
PID 1152 wrote to memory of 2532	1152	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe	31
PID 1152 wrote to memory of 2532	1152	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe	31
PID 1152 wrote to memory of 2532	1152	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe	31
PID 1152 wrote to memory of 2532	1152	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe	31
PID 1152 wrote to memory of 2532	1152	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe	31
PID 1152 wrote to memory of 2532	1152	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe	31
PID 1152 wrote to memory of 2532	1152	4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe	31

C:\Users\Admin\AppData\Local\Temp\4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe"
1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1152
- C:\Users\Admin\AppData\Local\Temp\4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe
  "C:\Users\Admin\AppData\Local\Temp\4c0ddbc263c51cab37967cd30f623418_JaffaCakes118.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Checks BIOS information in registry
  - Loads dropped DLL
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  PID:2532
- - C:\Users\Admin\AppData\Local\Temp\nvvsvce.exe
    "C:\Users\Admin\AppData\Local\Temp\nvvsvce.exe"
    3⤵
    - Executes dropped EXE
    - Loads dropped DLL
    - System Location Discovery: System Language Discovery
    PID:2892
  - - C:\Users\Admin\AppData\Local\Temp\nvvsvce.exe
      "C:\Users\Admin\AppData\Local\Temp\nvvsvce.exe"
      4⤵
      Checks BIOS information in registry
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Modifies registry class
      NTFS ADS
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2784

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\ProgramData\TEMP:657F2AC8

Filesize
124B

MD5
0a6f1288692d63340a49140b38d7130f

SHA1
32b5cb31403aa95c58086a5ff0b72c17280a2328

SHA256
76608b16ff2fa937a496993085383b0ca53241c64d465dfa7c01643639a57375

SHA512
fe75c8e820bb30345f0d8d6fd509cd37709f76f339240b7d0226b96995ff838da3feb5b8b4996e48ba74d712a987f50301b4dd95141839938af2454d23ad5ebe

Download Submit
\Users\Admin\AppData\Local\Temp\nvvsvce.exe

Filesize
1.8MB

MD5
4c0ddbc263c51cab37967cd30f623418

SHA1
b38d14eec720f3022cb58ef0abd69679b36f6e02

SHA256
12528688388179e33f9d0db48bcb68809e5be063239d4b2b3387ed4ba3f174e7

SHA512
1db7d52efff9f635e0496010bebf2c5f756c31d15a17ccb53f15544fd14c7535b1819530880183c0748995fa4c2c6516e888f5907f95737b4da915a14fc9ed73

Download Submit
memory/1152-2-0x0000000002150000-0x00000000023E2000-memory.dmp

Filesize
2.6MB

Download
memory/1152-0-0x0000000000400000-0x0000000000692000-memory.dmp

Filesize
2.6MB

Download
memory/1152-60-0x0000000000400000-0x0000000000692000-memory.dmp

Filesize
2.6MB

Download
memory/1152-64-0x0000000000400000-0x0000000000692000-memory.dmp

Filesize
2.6MB

Download
memory/2532-13-0x0000000000400000-0x0000000000692000-memory.dmp

Filesize
2.6MB

Download
memory/2532-18-0x0000000000400000-0x0000000000692000-memory.dmp

Filesize
2.6MB

Download
memory/2532-16-0x0000000000400000-0x0000000000692000-memory.dmp

Filesize
2.6MB

Download
memory/2532-15-0x0000000000400000-0x0000000000692000-memory.dmp

Filesize
2.6MB

Download
memory/2532-11-0x0000000000400000-0x0000000000692000-memory.dmp

Filesize
2.6MB

Download
memory/2532-17-0x0000000000400000-0x0000000000692000-memory.dmp

Filesize
2.6MB

Download
memory/2532-19-0x0000000002180000-0x00000000022DA000-memory.dmp

Filesize
1.4MB

Download
memory/2532-14-0x0000000000400000-0x0000000000692000-memory.dmp

Filesize
2.6MB

Download
memory/2532-4-0x0000000002180000-0x00000000022DA000-memory.dmp

Filesize
1.4MB

Download
memory/2532-26-0x00000000041D0000-0x0000000004462000-memory.dmp

Filesize
2.6MB

Download
memory/2532-34-0x00000000041D0000-0x0000000004462000-memory.dmp

Filesize
2.6MB

Download
memory/2532-32-0x0000000002180000-0x00000000022DA000-memory.dmp

Filesize
1.4MB

Download
memory/2532-10-0x0000000002180000-0x00000000022DA000-memory.dmp

Filesize
1.4MB

Download
memory/2532-3-0x000000000051A000-0x000000000051B000-memory.dmp

Filesize
4KB

Download
memory/2532-1-0x0000000000400000-0x0000000000692000-memory.dmp

Filesize
2.6MB

Download
memory/2532-59-0x0000000002180000-0x00000000022DA000-memory.dmp

Filesize
1.4MB

Download
memory/2784-47-0x0000000000400000-0x0000000000692000-memory.dmp

Filesize
2.6MB

Download
memory/2784-46-0x0000000002150000-0x00000000022AA000-memory.dmp

Filesize
1.4MB

Download
memory/2784-53-0x0000000000400000-0x0000000000692000-memory.dmp

Filesize
2.6MB

Download
memory/2784-54-0x0000000000400000-0x0000000000692000-memory.dmp

Filesize
2.6MB

Download
memory/2784-57-0x0000000002150000-0x00000000022AA000-memory.dmp

Filesize
1.4MB

Download
memory/2784-55-0x0000000000400000-0x0000000000692000-memory.dmp

Filesize
2.6MB

Download
memory/2784-52-0x0000000000400000-0x0000000000692000-memory.dmp

Filesize
2.6MB

Download
memory/2784-86-0x0000000002150000-0x00000000022AA000-memory.dmp

Filesize
1.4MB

Download
memory/2784-56-0x0000000000400000-0x0000000000692000-memory.dmp

Filesize
2.6MB

Download
memory/2784-51-0x0000000000400000-0x0000000000692000-memory.dmp

Filesize
2.6MB

Download
memory/2784-40-0x0000000002150000-0x00000000022AA000-memory.dmp

Filesize
1.4MB

Download
memory/2784-61-0x0000000002150000-0x00000000022AA000-memory.dmp

Filesize
1.4MB

Download
memory/2784-62-0x0000000002150000-0x00000000022AA000-memory.dmp

Filesize
1.4MB

Download
memory/2892-38-0x0000000000400000-0x0000000000692000-memory.dmp

Filesize
2.6MB

Download
memory/2892-65-0x0000000000400000-0x0000000000692000-memory.dmp

Filesize
2.6MB

Download
memory/2892-66-0x0000000002150000-0x00000000023E2000-memory.dmp

Filesize
2.6MB

Download
memory/2892-39-0x0000000002150000-0x00000000023E2000-memory.dmp

Filesize
2.6MB

Download
memory/2892-87-0x0000000000400000-0x0000000000692000-memory.dmp

Filesize
2.6MB

Download