darkcomet | f658e5db4dd562be92458a18a84e0713eb3ac9c7ae13f02767ee6ae0376efbb4

Analysis

max time kernel
150s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
18-10-2024 21:14

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe
Size

1.4MB
MD5

5968bd1843bca9ec5b655c9fdf219e8e
SHA1

c44f9696d0ff3ac324c549615fe06d52899e199b
SHA256

f658e5db4dd562be92458a18a84e0713eb3ac9c7ae13f02767ee6ae0376efbb4
SHA512

c252e3feabf3435fd8135d92d619ce5ee1e67e94ea59b10d54451dbb3985dd8ab6be750c4d539952f292691fc7678b83cfbc5828af4cc7c1db390ecd680bdd19
SSDEEP

24576:Gu+mLlxpqrdJwkbVYG3HklghoOLGTEANNOIZauPVTOMUC:mElxYBJwwqGUl1kcEYauPV

Score

10^/10

darkcomet discovery evasion persistence rat trojan

Malware Config

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\MSDCSC\\msdos32.exe"	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exeattrib.exe

pid	Process
1036	attrib.exe
3472	attrib.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

Processes:

5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe

Executes dropped EXE 3 IoCs

Processes:

5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exemsdos32.exemsdos32.exe

pid	Process
2520	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe
1872	msdos32.exe
2768	msdos32.exe

Uses the VBS compiler for execution 1 TTPs

Command and Scripting Interpreter
T1059

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exemsdos32.exe

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysUpdate = "C:\\Windows\\MSDCSC\\msdos32.exe"	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\sysUpdate = "C:\\Windows\\MSDCSC\\msdos32.exe"	msdos32.exe

Suspicious use of SetThreadContext 2 IoCs

Processes:

5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exemsdos32.exe

description	pid	Process	procid_target
PID 4340 set thread context of 2520	4340	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe	90
PID 1872 set thread context of 2768	1872	msdos32.exe	110

Drops file in Windows directory 3 IoCs

Processes:

5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe

description	ioc	Process
File opened for modification	C:\Windows\MSDCSC\msdos32.exe	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe
File opened for modification	C:\Windows\MSDCSC\	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe
File created	C:\Windows\MSDCSC\msdos32.exe	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 12 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

Processes:

5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.execmd.exeattrib.exeattrib.exemsdos32.exevbc.execvtres.exevbc.execvtres.execmd.exemsdos32.exe

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdos32.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vbc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cvtres.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdos32.exe

Modifies registry class 1 IoCs

Processes:

5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

msdos32.exe

pid	Process
2768	msdos32.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exemsdos32.exe

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2520	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe
Token: SeSecurityPrivilege	2520	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	2520	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	2520	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	2520	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe
Token: SeSystemtimePrivilege	2520	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	2520	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	2520	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	2520	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe
Token: SeBackupPrivilege	2520	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe
Token: SeRestorePrivilege	2520	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe
Token: SeShutdownPrivilege	2520	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe
Token: SeDebugPrivilege	2520	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	2520	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	2520	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	2520	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe
Token: SeUndockPrivilege	2520	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe
Token: SeManageVolumePrivilege	2520	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe
Token: SeImpersonatePrivilege	2520	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	2520	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe
Token: 33	2520	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe
Token: 34	2520	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe
Token: 35	2520	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe
Token: 36	2520	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2768	msdos32.exe
Token: SeSecurityPrivilege	2768	msdos32.exe
Token: SeTakeOwnershipPrivilege	2768	msdos32.exe
Token: SeLoadDriverPrivilege	2768	msdos32.exe
Token: SeSystemProfilePrivilege	2768	msdos32.exe
Token: SeSystemtimePrivilege	2768	msdos32.exe
Token: SeProfSingleProcessPrivilege	2768	msdos32.exe
Token: SeIncBasePriorityPrivilege	2768	msdos32.exe
Token: SeCreatePagefilePrivilege	2768	msdos32.exe
Token: SeBackupPrivilege	2768	msdos32.exe
Token: SeRestorePrivilege	2768	msdos32.exe
Token: SeShutdownPrivilege	2768	msdos32.exe
Token: SeDebugPrivilege	2768	msdos32.exe
Token: SeSystemEnvironmentPrivilege	2768	msdos32.exe
Token: SeChangeNotifyPrivilege	2768	msdos32.exe
Token: SeRemoteShutdownPrivilege	2768	msdos32.exe
Token: SeUndockPrivilege	2768	msdos32.exe
Token: SeManageVolumePrivilege	2768	msdos32.exe
Token: SeImpersonatePrivilege	2768	msdos32.exe
Token: SeCreateGlobalPrivilege	2768	msdos32.exe
Token: 33	2768	msdos32.exe
Token: 34	2768	msdos32.exe
Token: 35	2768	msdos32.exe
Token: 36	2768	msdos32.exe

Suspicious use of SetWindowsHookEx 1 IoCs

Processes:

msdos32.exe

pid	Process
2768	msdos32.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exevbc.exe5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.execmd.execmd.exemsdos32.exevbc.exemsdos32.exe

description	pid	Process	procid_target
PID 4340 wrote to memory of 2320	4340	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe	86
PID 4340 wrote to memory of 2320	4340	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe	86
PID 4340 wrote to memory of 2320	4340	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe	86
PID 2320 wrote to memory of 2856	2320	vbc.exe	89
PID 2320 wrote to memory of 2856	2320	vbc.exe	89
PID 2320 wrote to memory of 2856	2320	vbc.exe	89
PID 4340 wrote to memory of 2520	4340	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe	90
PID 4340 wrote to memory of 2520	4340	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe	90
PID 4340 wrote to memory of 2520	4340	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe	90
PID 4340 wrote to memory of 2520	4340	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe	90
PID 4340 wrote to memory of 2520	4340	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe	90
PID 4340 wrote to memory of 2520	4340	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe	90
PID 4340 wrote to memory of 2520	4340	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe	90
PID 4340 wrote to memory of 2520	4340	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe	90
PID 4340 wrote to memory of 2520	4340	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe	90
PID 4340 wrote to memory of 2520	4340	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe	90
PID 4340 wrote to memory of 2520	4340	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe	90
PID 4340 wrote to memory of 2520	4340	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe	90
PID 4340 wrote to memory of 2520	4340	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe	90
PID 4340 wrote to memory of 2520	4340	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe	90
PID 4340 wrote to memory of 2520	4340	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe	90
PID 4340 wrote to memory of 2520	4340	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe	90
PID 4340 wrote to memory of 2520	4340	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe	90
PID 4340 wrote to memory of 2520	4340	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe	90
PID 2520 wrote to memory of 1812	2520	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe	98
PID 2520 wrote to memory of 1812	2520	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe	98
PID 2520 wrote to memory of 1812	2520	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe	98
PID 2520 wrote to memory of 2516	2520	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe	100
PID 2520 wrote to memory of 2516	2520	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe	100
PID 2520 wrote to memory of 2516	2520	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe	100
PID 2516 wrote to memory of 3472	2516	cmd.exe	102
PID 2516 wrote to memory of 3472	2516	cmd.exe	102
PID 2516 wrote to memory of 3472	2516	cmd.exe	102
PID 1812 wrote to memory of 1036	1812	cmd.exe	103
PID 1812 wrote to memory of 1036	1812	cmd.exe	103
PID 1812 wrote to memory of 1036	1812	cmd.exe	103
PID 2520 wrote to memory of 1872	2520	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe	106
PID 2520 wrote to memory of 1872	2520	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe	106
PID 2520 wrote to memory of 1872	2520	5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe	106
PID 1872 wrote to memory of 3588	1872	msdos32.exe	107
PID 1872 wrote to memory of 3588	1872	msdos32.exe	107
PID 1872 wrote to memory of 3588	1872	msdos32.exe	107
PID 3588 wrote to memory of 1576	3588	vbc.exe	109
PID 3588 wrote to memory of 1576	3588	vbc.exe	109
PID 3588 wrote to memory of 1576	3588	vbc.exe	109
PID 1872 wrote to memory of 2768	1872	msdos32.exe	110
PID 1872 wrote to memory of 2768	1872	msdos32.exe	110
PID 1872 wrote to memory of 2768	1872	msdos32.exe	110
PID 1872 wrote to memory of 2768	1872	msdos32.exe	110
PID 1872 wrote to memory of 2768	1872	msdos32.exe	110
PID 1872 wrote to memory of 2768	1872	msdos32.exe	110
PID 1872 wrote to memory of 2768	1872	msdos32.exe	110
PID 1872 wrote to memory of 2768	1872	msdos32.exe	110
PID 1872 wrote to memory of 2768	1872	msdos32.exe	110
PID 1872 wrote to memory of 2768	1872	msdos32.exe	110
PID 1872 wrote to memory of 2768	1872	msdos32.exe	110
PID 1872 wrote to memory of 2768	1872	msdos32.exe	110
PID 1872 wrote to memory of 2768	1872	msdos32.exe	110
PID 1872 wrote to memory of 2768	1872	msdos32.exe	110
PID 1872 wrote to memory of 2768	1872	msdos32.exe	110
PID 1872 wrote to memory of 2768	1872	msdos32.exe	110
PID 1872 wrote to memory of 2768	1872	msdos32.exe	110
PID 1872 wrote to memory of 2768	1872	msdos32.exe	110
PID 2768 wrote to memory of 2340	2768	msdos32.exe	111

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

Processes:

attrib.exeattrib.exe

pid	Process
1036	attrib.exe
3472	attrib.exe

C:\Users\Admin\AppData\Local\Temp\5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4340
- C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
  "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\dhgp1cua.cmdline"
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2320
- - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
    C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESBC99.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc19E8DDDEC429475693D6D8D024FA2234.TMP"
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2856
- C:\Users\Admin\AppData\Local\Microsoft\Windows\5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe
  C:\Users\Admin\AppData\Local\Microsoft\Windows\5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe
  2⤵
  - Modifies WinLogon for persistence
  - Checks computer location settings
  - Executes dropped EXE
  - Adds Run key to start application
  - Drops file in Windows directory
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2520
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1812
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
      4⤵
      Sets file to hidden
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:1036
- - C:\Windows\SysWOW64\cmd.exe
    C:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2516
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
      4⤵
      Sets file to hidden
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:3472
- - C:\Windows\MSDCSC\msdos32.exe
    "C:\Windows\MSDCSC\msdos32.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1872
  - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
      "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\7ur4xoyl.cmdline"
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:3588
    - - C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
        
        C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESD968.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc7E2E86528C4A4B8A81B5B4A52BBFBE2B.TMP"
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1576
  - - C:\Users\Admin\AppData\Local\Microsoft\Windows\msdos32.exe
      C:\Users\Admin\AppData\Local\Microsoft\Windows\msdos32.exe
      4⤵
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      Suspicious behavior: GetForegroundWindowSpam
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2768
    - - C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        5⤵
        
        PID:2340
    - - C:\Windows\explorer.exe
        
        "C:\Windows\explorer.exe"
        5⤵
        
        PID:4992

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Command and Scripting Interpreter

T1059

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Microsoft\Windows\5968bd1843bca9ec5b655c9fdf219e8e_JaffaCakes118.exe

Filesize
1024B

MD5
54b1c45da8980b32759042e2c3c78dfb

SHA1
11e8bc2db98786c69e5dadf53d00ff3ee03d64f8

SHA256
9d5efce48ed68dcb4caaa7fbecaf47ce2cab0a023afc6ceed682d1d532823773

SHA512
73169989b97a032fe923272fbe4bc27be77e491d125b360120fc1e02419d99f807b1f62a3edaff85ebfd16e9c240ec295be9431cfe4d6c353f0cf0dbeec4d2ac

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ur4xoyl.cmdline

Filesize
246B

MD5
1a7693832aa1669f56032ccddb51a8e6

SHA1
0cd4c00ca3423434583d9cf8cd8a26f7d0192b9e

SHA256
bc0dd8bcb5b812f282bf9a8c766d356a80ccfe2c223c689ce4290f8c4de32f42

SHA512
9f9ead08aea69ac8a512ec639b85b9f200d5bf8aa84a2fd00db2dcadc2fb3d731f22aaa2727919b03d9514b03d808335b2ba77bba5d2626c9be012b95d78fcec

Download Submit
C:\Users\Admin\AppData\Local\Temp\7ur4xoyl.dll

Filesize
6KB

MD5
4aa98f6ba0fd015f087da29889d02636

SHA1
5e1bf85d8d6d724b63a223a56075f5773d902652

SHA256
2a1f492b4f77689f11b47cedb5c3c592396ab30e8546250f2f770bbf450d3184

SHA512
65f23c95082fc13010f5d767124e4d8ed2a0d39b1891366a2c8244e2fe3e8a70cd883c18da51914045b5a10cbed4fbbafae6c0820ef375ea75745dba8f49472b

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESBC99.tmp

Filesize
1KB

MD5
987900d0139e52713566fdcad28e7fd9

SHA1
48b08a492051b876119b3342baee9fe5387029ef

SHA256
3364e1f55eac49215ba92af0da7404f2b17fde0d89b6883a425c1be009365346

SHA512
8fd8cb8d9c0cff44ba3453b3745da5c538e96d036f03fd916d22a216aacd014104907dad9896f1bdb570e74e92c9bdbbdf06540720e7b6e3cd5472bad6ea9bf5

Download Submit
C:\Users\Admin\AppData\Local\Temp\RESD968.tmp

Filesize
1KB

MD5
81806a83051738fb498efd7472ef2a38

SHA1
71f368a64f53992991658629ba305c2e2a8dc3c7

SHA256
0347c56c4155e5e67c3ec99aaa33077c6bf13d7fc808ed594e03e520534f7a88

SHA512
19b27057819eac9545632cd1be3d194386e89fb096d47c8568e3078b260763b5204f072f733eb49d8c857e6c21d406aa509ce2ea3d3d688b45687f7c283e6c2e

Download Submit
C:\Users\Admin\AppData\Local\Temp\dhgp1cua.0.vb

Filesize
666B

MD5
a40f41925008597deb9a75218634e675

SHA1
146f93c94a7c3d84a4dbc1efeddd2aa0d7a5456d

SHA256
9e1b80bb2db37bfc093ff795c06f28d62ca0026cbe34ecdf674cb2effe3aef21

SHA512
b8aee23b2be41e8537daed7f528a2ad60a4303e541020bf639f56319ceec2b5c568c83ca90fe593549294a35cef8b107bd2c72bb2f6c2959b17e47110e4d744d

Download Submit
C:\Users\Admin\AppData\Local\Temp\dhgp1cua.cmdline

Filesize
246B

MD5
a8eaeb0aa86a5a0f32e2f21ed1b7a241

SHA1
cf4a89a12aae198a551106c72cfb9fcbcc262bba

SHA256
cfebfb1a12c713aad8ef1b90940749d8542bae32e97508717340e1ae3182b553

SHA512
c13a6f0a52629482b925efde5ce613539ba3549e45db8277d34346fb0ed51f8ca66897cbacb0d0b4615f322fc6d79791a26d6d67a44b1cf07ce523afce14026b

Download Submit
C:\Users\Admin\AppData\Local\Temp\dhgp1cua.dll

Filesize
6KB

MD5
03c4d9407647d769a4e6edd5317f206e

SHA1
16a2d17e329afc804c45c21ea29eb90739207009

SHA256
dce9ac1da0e8b5dc31b87f4a716cfff92ff41ae7f06e80225c4054a250dc3fe7

SHA512
f23d63a5894516a5765965f4969b961f196df46de638e2133e537bb123e879031062ab096ba6ab1a7b011be27c40ea2593466a3d13fa90b0f7b079eabbf3e146

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat

Filesize
50B

MD5
b774ae3fb1da087e1f83b4f7b2060e5a

SHA1
97eb9be49ac3af9c851c9e1e84e32bfd53e325a8

SHA256
adaf4a84b41e410b02e261cfd0fe7739d98647eab73c3badd32ac6e39f26351b

SHA512
f75d0f95f7306d26a12b414bfe37b97fbd37546cb3c6e403def7077329ddffb4b45d5c5f0ba0e7bb6d72851d2d691b0a85267beead42f7cbf2e8c3d45a3b4701

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc19E8DDDEC429475693D6D8D024FA2234.TMP

Filesize
652B

MD5
6d31777e31eda63919dbef50b3e61e13

SHA1
40ff047844701a2af1daba1057ccc7f63db285d5

SHA256
63523fe869b2a0fe6d085f4139fa5dca402c92b3e93cd32df5ba125c97001318

SHA512
c2943c04111259bdab1743d0280b9ac688ecd79700cf589c248bd66e368a06026fc5ac7e0d7a58d045463dc5809b5b20d0930d194d5ab9704032a6b4f08ab3c9

Download Submit
C:\Users\Admin\AppData\Local\Temp\vbc7E2E86528C4A4B8A81B5B4A52BBFBE2B.TMP

Filesize
652B

MD5
89e93ba154797876122b9b9171d4c3e4

SHA1
b8d7236f2bca3603ef23347530a8bc39413093ad

SHA256
e071fb92f4d0fddabd6e2d494e7c06b28ca021aa3ebdcd9936e95df0fa11c50b

SHA512
f0890485264e21e738d9892c44c6d9529bcb2fde53cbbd9b6f4f8ba55550b943f10e865c75dc02b0025379d76fae7f9d686f0a7cf682b6260453a77cc32f0ee5

Download Submit
C:\Users\Admin\AppData\Local\Temp\wmpnetk.exe

MD5
d41d8cd98f00b204e9800998ecf8427e

SHA1
da39a3ee5e6b4b0d3255bfef95601890afd80709

SHA256
e3b0c44298fc1c149afbf4c8996fb92427ae41e4649b934ca495991b7852b855

SHA512
cf83e1357eefb8bdf1542850d66d8007d620e4050b5715dc83f4a921d36ce9ce47d0d13c5d85f2b0ff8318d2877eec2f63b931bd47417a81a538327af927da3e

Download Submit
C:\Windows\MSDCSC\msdos32.exe

Filesize
1.4MB

MD5
5968bd1843bca9ec5b655c9fdf219e8e

SHA1
c44f9696d0ff3ac324c549615fe06d52899e199b

SHA256
f658e5db4dd562be92458a18a84e0713eb3ac9c7ae13f02767ee6ae0376efbb4

SHA512
c252e3feabf3435fd8135d92d619ce5ee1e67e94ea59b10d54451dbb3985dd8ab6be750c4d539952f292691fc7678b83cfbc5828af4cc7c1db390ecd680bdd19

Download Submit
memory/2320-16-0x0000000074870000-0x0000000074E21000-memory.dmp

Filesize
5.7MB

Download
memory/2320-7-0x0000000074870000-0x0000000074E21000-memory.dmp

Filesize
5.7MB

Download
memory/2520-23-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/2520-26-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/2520-30-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/2520-32-0x00000000022A0000-0x00000000022A1000-memory.dmp

Filesize
4KB

Download
memory/2520-102-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/2520-28-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/2768-141-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/2768-136-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/2768-148-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/2768-147-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/2768-128-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/2768-131-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/2768-130-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/2768-133-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/2768-134-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/2768-132-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/2768-135-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/2768-146-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/2768-137-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/2768-138-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/2768-139-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/2768-140-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/2768-145-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/2768-142-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/2768-143-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/2768-144-0x0000000000400000-0x00000000004DB000-memory.dmp

Filesize
876KB

Download
memory/4340-31-0x0000000074870000-0x0000000074E21000-memory.dmp

Filesize
5.7MB

Download
memory/4340-0-0x0000000074872000-0x0000000074873000-memory.dmp

Filesize
4KB

Download
memory/4340-1-0x0000000074870000-0x0000000074E21000-memory.dmp

Filesize
5.7MB

Download
memory/4340-2-0x0000000074870000-0x0000000074E21000-memory.dmp

Filesize
5.7MB

Download