darkcomet | 217258eb9bcbf4c2ee3667e17a79327cfd33698335fccd94300c6789dbb47c54

Analysis

max time kernel
150s
max time network
149s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
18-10-2024 16:04

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5853b884a32eb9e9503eac435ee36ecf_JaffaCakes118.exe
Size

4.5MB
MD5

5853b884a32eb9e9503eac435ee36ecf
SHA1

191d500dbf1f089a0ad2c8f1221bffd4ca10ce76
SHA256

217258eb9bcbf4c2ee3667e17a79327cfd33698335fccd94300c6789dbb47c54
SHA512

076c51793de919f402fbe9345fbca2fb2b6a2ef2aff9d91242953df0e4bbcac5f85b290969ed81e941f1d0677a137eba7dd7406b225676adf939cdc264dbb57c
SSDEEP

98304:ayE+lPT8meQ3pv6kTcKCR88WurxVs5QXjyT+oriOs7w29:ayvlAhO7eRpW9Adolup9

Score

10^/10

darkcomet ventrilo discovery evasion persistence privilege_escalation rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

Ventrilo

explom.no-ip.biz:1605

Mutex

DC_MUTEX-FERVLC3

Attributes

InstallPath
Microsoft\svchost.exe
gencode
rSCW9FFPzzcL
install
true
offline_keylogger
true
persistence
true
reg_key
Microsoft

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

ventrilo-3.0.8.Windows-i386.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\svchost.exe"	ventrilo-3.0.8.Windows-i386.exe

UAC bypass 3 TTPs 1 IoCs

evasion trojan

Bypass User Account Control

T1548.002

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Processes:

MAP1.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	MAP1.exe

Modifies Windows Firewall 2 TTPs 1 IoCs

evasion

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

netsh.exe

pid	Process
2780	netsh.exe

Executes dropped EXE 6 IoCs

Processes:

ventrilo-3.0.8-Windows-i386.exeventrilo-3.0.8.Windows-i386.exeMAP1.exeventrilo-3.0.8.Windows-i386.exesvchost.exesvchost.exe

pid	Process
2504	ventrilo-3.0.8-Windows-i386.exe
2368	ventrilo-3.0.8.Windows-i386.exe
1820	MAP1.exe
2608	ventrilo-3.0.8.Windows-i386.exe
1876	svchost.exe
2296	svchost.exe

Loads dropped DLL 29 IoCs

Processes:

5853b884a32eb9e9503eac435ee36ecf_JaffaCakes118.exeventrilo-3.0.8-Windows-i386.exeventrilo-3.0.8.Windows-i386.exeMAP1.exeventrilo-3.0.8.Windows-i386.exesvchost.exesvchost.exeMsiExec.exe

pid	Process
2124	5853b884a32eb9e9503eac435ee36ecf_JaffaCakes118.exe
2124	5853b884a32eb9e9503eac435ee36ecf_JaffaCakes118.exe
2124	5853b884a32eb9e9503eac435ee36ecf_JaffaCakes118.exe
2124	5853b884a32eb9e9503eac435ee36ecf_JaffaCakes118.exe
2124	5853b884a32eb9e9503eac435ee36ecf_JaffaCakes118.exe
2504	ventrilo-3.0.8-Windows-i386.exe
2504	ventrilo-3.0.8-Windows-i386.exe
2368	ventrilo-3.0.8.Windows-i386.exe
2368	ventrilo-3.0.8.Windows-i386.exe
2368	ventrilo-3.0.8.Windows-i386.exe
1820	MAP1.exe
1820	MAP1.exe
1820	MAP1.exe
2368	ventrilo-3.0.8.Windows-i386.exe
2608	ventrilo-3.0.8.Windows-i386.exe
2608	ventrilo-3.0.8.Windows-i386.exe
2608	ventrilo-3.0.8.Windows-i386.exe
2608	ventrilo-3.0.8.Windows-i386.exe
2608	ventrilo-3.0.8.Windows-i386.exe
1876	svchost.exe
1876	svchost.exe
1876	svchost.exe
1876	svchost.exe
2296	svchost.exe
2296	svchost.exe
2296	svchost.exe
3032	MsiExec.exe
3032	MsiExec.exe
3032	MsiExec.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

ventrilo-3.0.8.Windows-i386.exesvchost.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\svchost.exe"	ventrilo-3.0.8.Windows-i386.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\svchost.exe"	svchost.exe

Checks whether UAC is enabled 1 TTPs 1 IoCs

evasion trojan

System Information Discovery

T1082

Processes:

MAP1.exe

description	ioc	Process
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	MAP1.exe

Enumerates connected drives 3 TTPs 46 IoCs

Attempts to read the root path of hard drives other than the default C: drive.

Query Registry

T1012

Peripheral Device Discovery

T1120

System Information Discovery

T1082

Processes:

msiexec.exemsiexec.exe

description	ioc	Process
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\S:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\X:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\H:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\R:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\A:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\U:	msiexec.exe
File opened (read-only)	\??\W:	msiexec.exe
File opened (read-only)	\??\P:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\T:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\I:	msiexec.exe
File opened (read-only)	\??\K:	msiexec.exe
File opened (read-only)	\??\L:	msiexec.exe
File opened (read-only)	\??\O:	msiexec.exe
File opened (read-only)	\??\B:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Q:	msiexec.exe
File opened (read-only)	\??\V:	msiexec.exe
File opened (read-only)	\??\Y:	msiexec.exe
File opened (read-only)	\??\G:	msiexec.exe
File opened (read-only)	\??\E:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe
File opened (read-only)	\??\M:	msiexec.exe
File opened (read-only)	\??\N:	msiexec.exe
File opened (read-only)	\??\Z:	msiexec.exe
File opened (read-only)	\??\J:	msiexec.exe

Suspicious use of NtSetInformationThreadHideFromDebugger 3 IoCs

Processes:

ventrilo-3.0.8.Windows-i386.exesvchost.exe

pid	Process
2368	ventrilo-3.0.8.Windows-i386.exe
1876	svchost.exe
1876	svchost.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

ventrilo-3.0.8.Windows-i386.exesvchost.exe

description	pid	Process	procid_target
PID 2368 set thread context of 2608	2368	ventrilo-3.0.8.Windows-i386.exe	41
PID 1876 set thread context of 2296	1876	svchost.exe	47

UPX packed file 12 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

Processes:

resource	yara_rule
behavioral1/memory/2608-73-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2608-71-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2608-70-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2608-66-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2608-64-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2608-61-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2608-59-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2296-152-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2296-151-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2296-195-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2608-131-0x0000000000400000-0x00000000004B7000-memory.dmp	upx
behavioral1/memory/2296-213-0x0000000000400000-0x00000000004B7000-memory.dmp	upx

Drops file in Program Files directory 10 IoCs

Processes:

5853b884a32eb9e9503eac435ee36ecf_JaffaCakes118.exeventrilo-3.0.8-Windows-i386.exeventrilo-3.0.8.Windows-i386.exe

description	ioc	Process
File created	C:\Program Files (x86)\Ventrilo Setup\ventrilo-3.0.8.Windows-i386.exe	5853b884a32eb9e9503eac435ee36ecf_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Ventrilo Setup\ventrilo-3.0.8.Windows-i386.exe	5853b884a32eb9e9503eac435ee36ecf_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Ventrilo Setup\MAP1.exe	5853b884a32eb9e9503eac435ee36ecf_JaffaCakes118.exe
File opened for modification	C:\Program Files (x86)\Ventrilo Setup\ventrilo-3.0.8-Windows-i386.exe	5853b884a32eb9e9503eac435ee36ecf_JaffaCakes118.exe
File created	C:\Program Files (x86)\Ventrilo Setup\ventrilo-3.0.8-Windows-i386.exe	5853b884a32eb9e9503eac435ee36ecf_JaffaCakes118.exe
File created	C:\Program Files (x86)\Common Files\Wise Installation Wizard\WIS789289CAF73A4A16A33154D498CE069F_3_0_8.MSI	ventrilo-3.0.8-Windows-i386.exe
File opened for modification	C:\Program Files (x86)\Common Files\Wise Installation Wizard\WIS789289CAF73A4A16A33154D498CE069F_3_0_8.MSI	ventrilo-3.0.8-Windows-i386.exe
File opened for modification	C:\Program Files (x86)\Ventrilo Setup\ventrilo-3.0.8.Windows-i386.exe	ventrilo-3.0.8.Windows-i386.exe
File opened for modification	C:\Program Files (x86)\Ventrilo Setup	5853b884a32eb9e9503eac435ee36ecf_JaffaCakes118.exe
File created	C:\Program Files (x86)\Ventrilo Setup\MAP1.exe	5853b884a32eb9e9503eac435ee36ecf_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Event Triggered Execution: Netsh Helper DLL 1 TTPs 3 IoCs

Netsh.exe (also referred to as Netshell) is a command-line scripting utility used to interact with the network configuration of a system.

persistence privilege_escalation

Netsh Helper DLL

T1546.007

Processes:

netsh.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key queried	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe
Key value enumerated	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\NetSh	netsh.exe

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

net.exe5853b884a32eb9e9503eac435ee36ecf_JaffaCakes118.exenet.exeventrilo-3.0.8.Windows-i386.exesvchost.exesvchost.exenotepad.exenetsh.exenet1.exemsiexec.exenotepad.exeMAP1.exenet1.exeMsiExec.exeventrilo-3.0.8-Windows-i386.exeventrilo-3.0.8.Windows-i386.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5853b884a32eb9e9503eac435ee36ecf_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ventrilo-3.0.8.Windows-i386.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	svchost.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	netsh.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msiexec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MAP1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	MsiExec.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ventrilo-3.0.8-Windows-i386.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	ventrilo-3.0.8.Windows-i386.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

Processes:

ventrilo-3.0.8.Windows-i386.exesvchost.exe

pid	Process
2368	ventrilo-3.0.8.Windows-i386.exe
1876	svchost.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

svchost.exe

pid	Process
2296	svchost.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

5853b884a32eb9e9503eac435ee36ecf_JaffaCakes118.exemsiexec.exeventrilo-3.0.8.Windows-i386.exemsiexec.exe

description	pid	Process
Token: SeRestorePrivilege	2124	5853b884a32eb9e9503eac435ee36ecf_JaffaCakes118.exe
Token: SeBackupPrivilege	2124	5853b884a32eb9e9503eac435ee36ecf_JaffaCakes118.exe
Token: SeShutdownPrivilege	2824	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2824	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2608	ventrilo-3.0.8.Windows-i386.exe
Token: SeSecurityPrivilege	2608	ventrilo-3.0.8.Windows-i386.exe
Token: SeTakeOwnershipPrivilege	2608	ventrilo-3.0.8.Windows-i386.exe
Token: SeLoadDriverPrivilege	2608	ventrilo-3.0.8.Windows-i386.exe
Token: SeSystemProfilePrivilege	2608	ventrilo-3.0.8.Windows-i386.exe
Token: SeSystemtimePrivilege	2608	ventrilo-3.0.8.Windows-i386.exe
Token: SeProfSingleProcessPrivilege	2608	ventrilo-3.0.8.Windows-i386.exe
Token: SeIncBasePriorityPrivilege	2608	ventrilo-3.0.8.Windows-i386.exe
Token: SeCreatePagefilePrivilege	2608	ventrilo-3.0.8.Windows-i386.exe
Token: SeBackupPrivilege	2608	ventrilo-3.0.8.Windows-i386.exe
Token: SeRestorePrivilege	2608	ventrilo-3.0.8.Windows-i386.exe
Token: SeShutdownPrivilege	2608	ventrilo-3.0.8.Windows-i386.exe
Token: SeDebugPrivilege	2608	ventrilo-3.0.8.Windows-i386.exe
Token: SeSystemEnvironmentPrivilege	2608	ventrilo-3.0.8.Windows-i386.exe
Token: SeChangeNotifyPrivilege	2608	ventrilo-3.0.8.Windows-i386.exe
Token: SeRemoteShutdownPrivilege	2608	ventrilo-3.0.8.Windows-i386.exe
Token: SeUndockPrivilege	2608	ventrilo-3.0.8.Windows-i386.exe
Token: SeManageVolumePrivilege	2608	ventrilo-3.0.8.Windows-i386.exe
Token: SeImpersonatePrivilege	2608	ventrilo-3.0.8.Windows-i386.exe
Token: SeCreateGlobalPrivilege	2608	ventrilo-3.0.8.Windows-i386.exe
Token: 33	2608	ventrilo-3.0.8.Windows-i386.exe
Token: 34	2608	ventrilo-3.0.8.Windows-i386.exe
Token: 35	2608	ventrilo-3.0.8.Windows-i386.exe
Token: SeRestorePrivilege	2608	ventrilo-3.0.8.Windows-i386.exe
Token: SeBackupPrivilege	2608	ventrilo-3.0.8.Windows-i386.exe
Token: SeRestorePrivilege	2352	msiexec.exe
Token: SeTakeOwnershipPrivilege	2352	msiexec.exe
Token: SeSecurityPrivilege	2352	msiexec.exe
Token: SeCreateTokenPrivilege	2824	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2824	msiexec.exe
Token: SeLockMemoryPrivilege	2824	msiexec.exe
Token: SeIncreaseQuotaPrivilege	2824	msiexec.exe
Token: SeMachineAccountPrivilege	2824	msiexec.exe
Token: SeTcbPrivilege	2824	msiexec.exe
Token: SeSecurityPrivilege	2824	msiexec.exe
Token: SeTakeOwnershipPrivilege	2824	msiexec.exe
Token: SeLoadDriverPrivilege	2824	msiexec.exe
Token: SeSystemProfilePrivilege	2824	msiexec.exe
Token: SeSystemtimePrivilege	2824	msiexec.exe
Token: SeProfSingleProcessPrivilege	2824	msiexec.exe
Token: SeIncBasePriorityPrivilege	2824	msiexec.exe
Token: SeCreatePagefilePrivilege	2824	msiexec.exe
Token: SeCreatePermanentPrivilege	2824	msiexec.exe
Token: SeBackupPrivilege	2824	msiexec.exe
Token: SeRestorePrivilege	2824	msiexec.exe
Token: SeShutdownPrivilege	2824	msiexec.exe
Token: SeDebugPrivilege	2824	msiexec.exe
Token: SeAuditPrivilege	2824	msiexec.exe
Token: SeSystemEnvironmentPrivilege	2824	msiexec.exe
Token: SeChangeNotifyPrivilege	2824	msiexec.exe
Token: SeRemoteShutdownPrivilege	2824	msiexec.exe
Token: SeUndockPrivilege	2824	msiexec.exe
Token: SeSyncAgentPrivilege	2824	msiexec.exe
Token: SeEnableDelegationPrivilege	2824	msiexec.exe
Token: SeManageVolumePrivilege	2824	msiexec.exe
Token: SeImpersonatePrivilege	2824	msiexec.exe
Token: SeCreateGlobalPrivilege	2824	msiexec.exe
Token: SeCreateTokenPrivilege	2824	msiexec.exe
Token: SeAssignPrimaryTokenPrivilege	2824	msiexec.exe
Token: SeLockMemoryPrivilege	2824	msiexec.exe

Suspicious use of FindShellTrayWindow 2 IoCs

Processes:

msiexec.exe

pid	Process
2824	msiexec.exe
2824	msiexec.exe

Suspicious use of SetWindowsHookEx 6 IoCs

Processes:

ventrilo-3.0.8.Windows-i386.exeMAP1.exesvchost.exesvchost.exe

pid	Process
2368	ventrilo-3.0.8.Windows-i386.exe
1820	MAP1.exe
2368	ventrilo-3.0.8.Windows-i386.exe
1876	svchost.exe
1876	svchost.exe
2296	svchost.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5853b884a32eb9e9503eac435ee36ecf_JaffaCakes118.exeventrilo-3.0.8-Windows-i386.exeMAP1.exenet.exeventrilo-3.0.8.Windows-i386.exe

description	pid	Process	procid_target
PID 2124 wrote to memory of 2504	2124	5853b884a32eb9e9503eac435ee36ecf_JaffaCakes118.exe	30
PID 2124 wrote to memory of 2504	2124	5853b884a32eb9e9503eac435ee36ecf_JaffaCakes118.exe	30
PID 2124 wrote to memory of 2504	2124	5853b884a32eb9e9503eac435ee36ecf_JaffaCakes118.exe	30
PID 2124 wrote to memory of 2504	2124	5853b884a32eb9e9503eac435ee36ecf_JaffaCakes118.exe	30
PID 2124 wrote to memory of 2504	2124	5853b884a32eb9e9503eac435ee36ecf_JaffaCakes118.exe	30
PID 2124 wrote to memory of 2504	2124	5853b884a32eb9e9503eac435ee36ecf_JaffaCakes118.exe	30
PID 2124 wrote to memory of 2504	2124	5853b884a32eb9e9503eac435ee36ecf_JaffaCakes118.exe	30
PID 2124 wrote to memory of 2368	2124	5853b884a32eb9e9503eac435ee36ecf_JaffaCakes118.exe	31
PID 2124 wrote to memory of 2368	2124	5853b884a32eb9e9503eac435ee36ecf_JaffaCakes118.exe	31
PID 2124 wrote to memory of 2368	2124	5853b884a32eb9e9503eac435ee36ecf_JaffaCakes118.exe	31
PID 2124 wrote to memory of 2368	2124	5853b884a32eb9e9503eac435ee36ecf_JaffaCakes118.exe	31
PID 2124 wrote to memory of 2368	2124	5853b884a32eb9e9503eac435ee36ecf_JaffaCakes118.exe	31
PID 2124 wrote to memory of 2368	2124	5853b884a32eb9e9503eac435ee36ecf_JaffaCakes118.exe	31
PID 2124 wrote to memory of 2368	2124	5853b884a32eb9e9503eac435ee36ecf_JaffaCakes118.exe	31
PID 2124 wrote to memory of 1820	2124	5853b884a32eb9e9503eac435ee36ecf_JaffaCakes118.exe	32
PID 2124 wrote to memory of 1820	2124	5853b884a32eb9e9503eac435ee36ecf_JaffaCakes118.exe	32
PID 2124 wrote to memory of 1820	2124	5853b884a32eb9e9503eac435ee36ecf_JaffaCakes118.exe	32
PID 2124 wrote to memory of 1820	2124	5853b884a32eb9e9503eac435ee36ecf_JaffaCakes118.exe	32
PID 2124 wrote to memory of 1820	2124	5853b884a32eb9e9503eac435ee36ecf_JaffaCakes118.exe	32
PID 2124 wrote to memory of 1820	2124	5853b884a32eb9e9503eac435ee36ecf_JaffaCakes118.exe	32
PID 2124 wrote to memory of 1820	2124	5853b884a32eb9e9503eac435ee36ecf_JaffaCakes118.exe	32
PID 2504 wrote to memory of 2824	2504	ventrilo-3.0.8-Windows-i386.exe	33
PID 2504 wrote to memory of 2824	2504	ventrilo-3.0.8-Windows-i386.exe	33
PID 2504 wrote to memory of 2824	2504	ventrilo-3.0.8-Windows-i386.exe	33
PID 2504 wrote to memory of 2824	2504	ventrilo-3.0.8-Windows-i386.exe	33
PID 2504 wrote to memory of 2824	2504	ventrilo-3.0.8-Windows-i386.exe	33
PID 2504 wrote to memory of 2824	2504	ventrilo-3.0.8-Windows-i386.exe	33
PID 2504 wrote to memory of 2824	2504	ventrilo-3.0.8-Windows-i386.exe	33
PID 1820 wrote to memory of 2716	1820	MAP1.exe	34
PID 1820 wrote to memory of 2716	1820	MAP1.exe	34
PID 1820 wrote to memory of 2716	1820	MAP1.exe	34
PID 1820 wrote to memory of 2716	1820	MAP1.exe	34
PID 1820 wrote to memory of 2716	1820	MAP1.exe	34
PID 1820 wrote to memory of 2716	1820	MAP1.exe	34
PID 1820 wrote to memory of 2716	1820	MAP1.exe	34
PID 1820 wrote to memory of 2560	1820	MAP1.exe	35
PID 1820 wrote to memory of 2560	1820	MAP1.exe	35
PID 1820 wrote to memory of 2560	1820	MAP1.exe	35
PID 1820 wrote to memory of 2560	1820	MAP1.exe	35
PID 1820 wrote to memory of 2560	1820	MAP1.exe	35
PID 1820 wrote to memory of 2560	1820	MAP1.exe	35
PID 1820 wrote to memory of 2560	1820	MAP1.exe	35
PID 1820 wrote to memory of 2780	1820	MAP1.exe	37
PID 1820 wrote to memory of 2780	1820	MAP1.exe	37
PID 1820 wrote to memory of 2780	1820	MAP1.exe	37
PID 1820 wrote to memory of 2780	1820	MAP1.exe	37
PID 1820 wrote to memory of 2780	1820	MAP1.exe	37
PID 1820 wrote to memory of 2780	1820	MAP1.exe	37
PID 1820 wrote to memory of 2780	1820	MAP1.exe	37
PID 2716 wrote to memory of 2764	2716	net.exe	39
PID 2716 wrote to memory of 2764	2716	net.exe	39
PID 2716 wrote to memory of 2764	2716	net.exe	39
PID 2716 wrote to memory of 2764	2716	net.exe	39
PID 2716 wrote to memory of 2764	2716	net.exe	39
PID 2716 wrote to memory of 2764	2716	net.exe	39
PID 2716 wrote to memory of 2764	2716	net.exe	39
PID 2368 wrote to memory of 2608	2368	ventrilo-3.0.8.Windows-i386.exe	41
PID 2368 wrote to memory of 2608	2368	ventrilo-3.0.8.Windows-i386.exe	41
PID 2368 wrote to memory of 2608	2368	ventrilo-3.0.8.Windows-i386.exe	41
PID 2368 wrote to memory of 2608	2368	ventrilo-3.0.8.Windows-i386.exe	41
PID 2368 wrote to memory of 2608	2368	ventrilo-3.0.8.Windows-i386.exe	41
PID 2368 wrote to memory of 2608	2368	ventrilo-3.0.8.Windows-i386.exe	41
PID 2368 wrote to memory of 2608	2368	ventrilo-3.0.8.Windows-i386.exe	41
PID 2368 wrote to memory of 2608	2368	ventrilo-3.0.8.Windows-i386.exe	41

System policy modification 1 TTPs 2 IoCs

evasion

Modify Registry

T1112

Processes:

MAP1.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System	MAP1.exe
Set value (int)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\EnableLUA = "0"	MAP1.exe

Uses Volume Shadow Copy service COM API
The Volume Shadow Copy service is used to manage backups/snapshots.
ransomware

C:\Users\Admin\AppData\Local\Temp\5853b884a32eb9e9503eac435ee36ecf_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5853b884a32eb9e9503eac435ee36ecf_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in Program Files directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2124
- C:\Program Files (x86)\Ventrilo Setup\ventrilo-3.0.8-Windows-i386.exe
  "C:\Program Files (x86)\Ventrilo Setup\ventrilo-3.0.8-Windows-i386.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2504
- - C:\Windows\SysWOW64\msiexec.exe
    "C:\Windows\System32\msiexec.exe" /I "C:\Program Files (x86)\Common Files\Wise Installation Wizard\WIS789289CAF73A4A16A33154D498CE069F_3_0_8.MSI" WISE_SETUP_EXE_PATH="C:\Program Files (x86)\Ventrilo Setup\ventrilo-3.0.8-Windows-i386.exe"
    3⤵
    - Enumerates connected drives
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of FindShellTrayWindow
    PID:2824
- C:\Program Files (x86)\Ventrilo Setup\ventrilo-3.0.8.Windows-i386.exe
  "C:\Program Files (x86)\Ventrilo Setup\ventrilo-3.0.8.Windows-i386.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - Suspicious use of NtSetInformationThreadHideFromDebugger
  - Suspicious use of SetThreadContext
  - Drops file in Program Files directory
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2368
- - C:\Program Files (x86)\Ventrilo Setup\ventrilo-3.0.8.Windows-i386.exe
    "C:\Program Files (x86)\Ventrilo Setup\ventrilo-3.0.8.Windows-i386.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    PID:2608
  - - C:\Windows\SysWOW64\notepad.exe
      notepad
      4⤵
      System Location Discovery: System Language Discovery
      PID:544
  - - C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
      "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      Suspicious use of NtSetInformationThreadHideFromDebugger
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of SetWindowsHookEx
      PID:1876
    - - C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe
        
        "C:\Users\Admin\AppData\Roaming\Microsoft\svchost.exe"
        5⤵
        Executes dropped EXE
        Loads dropped DLL
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        Suspicious behavior: GetForegroundWindowSpam
        Suspicious use of SetWindowsHookEx
        
        PID:2296
      - C:\Windows\SysWOW64\notepad.exe
        
        notepad
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:2456
- C:\Program Files (x86)\Ventrilo Setup\MAP1.exe
  "C:\Program Files (x86)\Ventrilo Setup\MAP1.exe"
  2⤵
  - UAC bypass
  - Executes dropped EXE
  - Loads dropped DLL
  - Checks whether UAC is enabled
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  - System policy modification
  PID:1820
- - C:\Windows\SysWOW64\net.exe
    net stop WinDefend
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2716
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop WinDefend
      4⤵
      System Location Discovery: System Language Discovery
      PID:2764
- - C:\Windows\SysWOW64\net.exe
    net stop security center
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2560
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop security center
      4⤵
      System Location Discovery: System Language Discovery
      PID:2564
- - C:\Windows\SysWOW64\netsh.exe
    netsh firewall set opmode disable
    3⤵
    - Modifies Windows Firewall
    - Event Triggered Execution: Netsh Helper DLL
    - System Location Discovery: System Language Discovery
    PID:2780

C:\Windows\system32\msiexec.exe
C:\Windows\system32\msiexec.exe /V
1⤵
- Enumerates connected drives
- Suspicious use of AdjustPrivilegeToken
PID:2352
- C:\Windows\syswow64\MsiExec.exe
  C:\Windows\syswow64\MsiExec.exe -Embedding 91FC0E4376A524DB85DE6E4DDC2720F5 C
  2⤵
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  PID:3032
- C:\Windows\system32\WerFault.exe
  C:\Windows\system32\WerFault.exe -u -p 2352 -s 868
  2⤵
  PID:2312

C:\Windows\system32\vssvc.exe
C:\Windows\system32\vssvc.exe
1⤵
PID:3024

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Privilege Escalation

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Event Triggered Execution

T1546

Netsh Helper DLL

T1546.007

Defense Evasion

Abuse Elevation Control Mechanism

T1548

Bypass User Account Control

T1548.002

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Peripheral Device Discovery

T1120

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Program Files (x86)\Common Files\Wise Installation Wizard\WIS789289CAF73A4A16A33154D498CE069F_3_0_8.MSI

Filesize
3.5MB

MD5
3e42e54d2c55142018961a747dc699b9

SHA1
1ad9e9802c7c260608e9a528cf75169ddde4855e

SHA256
80affd66d6a8aaace9c1ee5ca1ced8830da555f55c597f2c3f13263d6a7f96c4

SHA512
c3b6060316c11f045898aacdfba4d10baeb0f8498013d4cb6003bbb010d968c9b24904365e9f8494cde6e5975a3a6f816ad74075d4d0c04e83d1aa49e35c1cf8

Download Submit
C:\Program Files (x86)\Ventrilo Setup\MAP1.exe

Filesize
32KB

MD5
4d1ac64b7a55d850808755f029dbb419

SHA1
2618a2e1965db421acd331368818bab7fca6bec7

SHA256
548fbf0fab4a87d767249073d1f7446f67ab33db667695e4249122d52190fe8f

SHA512
ce0b1f33f9d3b7c3903e21e55e1f68e8fc864a58e68966e0a818662200698d2234576d1d1e6b4832bfd0b5def9202797aa1cfcfc841260bb50ee8b49100148a0

Download Submit
C:\Program Files (x86)\Ventrilo Setup\ventrilo-3.0.8.Windows-i386.exe

Filesize
1.3MB

MD5
8d49418ba2a035f7629cc8f6f2f3caff

SHA1
9725fff811057580dee552db0cb66e574fffd329

SHA256
daf6330d2c2df87edcafae8e8abfbe0dcd2429cd0be76986500b743fdfc268b1

SHA512
9411db8cd3984515ba26861c31fc67c2cac7954dee239b5846a2387767dd7442c570f613cff922c56c683d2ad6d4bb7b9012039c58a65ab1cb0d5f5b74ee08bf

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSICB4B.tmp

Filesize
160KB

MD5
d9d9718000704053e7325752829bd5c9

SHA1
b7096b33219a78752ad128aaacc468047ca7c5aa

SHA256
80caaefda1b2ceda08e27cdfa2a579a2ee9f225a3ed436447f402a67d9fa91c3

SHA512
6e48f7a7ab276e15ed8d9d0c1f20d68316fdd53030432fb32850387c0867e3876e712a3627129cd30fa1c64ea369b722694f2e4b8fc86fc8579355827603c691

Download Submit
C:\Users\Admin\AppData\Local\Temp\MSICD20.tmp

Filesize
8KB

MD5
53bfc64d0c686ad04e92ca884bcfacf6

SHA1
354489a29bb5164c32a1cb567855723e15e957b8

SHA256
84fd0ecbe013c9af8649b8de36807ad2f37d33cd85fb9ebd1b01b59f295a8051

SHA512
3374ea30f69106db3da1e324fd7bd794d100e750984dc0bb160f16f3561d3a8d1e237a363d0f06d88efdfbaa41c9f9550016632470df52e1b41ec31c01ce57b8

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3290804112-2823094203-3137964600-1000\88603cb2913a7df3fbd16b5f958e6447_94ea1d76-6d7e-4d9e-abc7-ef9a6a2a9269

Filesize
51B

MD5
5fc2ac2a310f49c14d195230b91a8885

SHA1
90855cc11136ba31758fe33b5cf9571f9a104879

SHA256
374e0e2897a7a82e0e44794cad89df0f3cdd7703886239c1fe06d625efd48092

SHA512
ab46554df9174b9fe9beba50a640f67534c3812f64d96a1fb8adfdc136dfe730ca2370825cd45b7f87a544d6a58dd868cb5a3a7f42e2789f6d679dbc0fdd52c3

Download Submit
\Program Files (x86)\Ventrilo Setup\ventrilo-3.0.8-Windows-i386.exe

Filesize
3.6MB

MD5
0cd0a1eebefd190dbc43a5971aeb039b

SHA1
32364cd9237866d9b844768d191ef004c1433c79

SHA256
4006f4689aa26ba3a3ee884bbeefc9087dadf72e1061b4e882f3db8f3718dca4

SHA512
682faf34820929b9ae6b4adf0b0a0e2f4086171733156091aa844176dd1d1108996462e4f827b8086b8351395848182f7a60b774a85eb2bca25a27e7cbc25789

Download Submit
memory/544-109-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/544-81-0x0000000000090000-0x0000000000091000-memory.dmp

Filesize
4KB

Download
memory/1876-200-0x0000000000400000-0x00000000007C2000-memory.dmp

Filesize
3.8MB

Download
memory/1876-125-0x0000000000400000-0x00000000007C2000-memory.dmp

Filesize
3.8MB

Download
memory/1876-194-0x0000000003D00000-0x00000000040C2000-memory.dmp

Filesize
3.8MB

Download
memory/1876-128-0x0000000000E10000-0x00000000011D2000-memory.dmp

Filesize
3.8MB

Download
memory/1876-126-0x0000000000E10000-0x00000000011D2000-memory.dmp

Filesize
3.8MB

Download
memory/1876-127-0x0000000000E10000-0x00000000011D2000-memory.dmp

Filesize
3.8MB

Download
memory/2124-29-0x00000000035A0000-0x0000000003962000-memory.dmp

Filesize
3.8MB

Download
memory/2124-25-0x0000000000400000-0x0000000000422000-memory.dmp

Filesize
136KB

Download
memory/2296-198-0x0000000000AC0000-0x0000000000E82000-memory.dmp

Filesize
3.8MB

Download
memory/2296-197-0x0000000000AC0000-0x0000000000E82000-memory.dmp

Filesize
3.8MB

Download
memory/2296-196-0x0000000000AC0000-0x0000000000E82000-memory.dmp

Filesize
3.8MB

Download
memory/2296-152-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2296-195-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2296-213-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2296-151-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2368-32-0x0000000000400000-0x00000000007C2000-memory.dmp

Filesize
3.8MB

Download
memory/2368-42-0x0000000000E40000-0x0000000001202000-memory.dmp

Filesize
3.8MB

Download
memory/2368-78-0x0000000000400000-0x00000000007C2000-memory.dmp

Filesize
3.8MB

Download
memory/2368-72-0x0000000003EC0000-0x0000000004282000-memory.dmp

Filesize
3.8MB

Download
memory/2608-71-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2608-131-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2608-64-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2608-66-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2608-70-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2608-61-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2608-59-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2608-63-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2608-73-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2608-74-0x0000000000D60000-0x0000000001122000-memory.dmp

Filesize
3.8MB

Download
memory/2608-75-0x0000000000D60000-0x0000000001122000-memory.dmp

Filesize
3.8MB

Download
memory/2608-57-0x0000000000400000-0x00000000004B7000-memory.dmp

Filesize
732KB

Download
memory/2608-124-0x00000000039A0000-0x0000000003D62000-memory.dmp

Filesize
3.8MB

Download
memory/2608-76-0x0000000000D60000-0x0000000001122000-memory.dmp

Filesize
3.8MB

Download