Malware Analysis Report

2025-08-10 14:27

Sample ID 241030-cqssnssrht
Target 7d90f7a105098f45110f71e7c5acf0d1_JaffaCakes118
SHA256 dc4a8fc218f79aea3d18b9326717d5a219c154a6aa6f3a4f7ef258023ebc0692
Tags
darkcomet rs4 discovery evasion persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

dc4a8fc218f79aea3d18b9326717d5a219c154a6aa6f3a4f7ef258023ebc0692

Threat Level: Known bad

The file 7d90f7a105098f45110f71e7c5acf0d1_JaffaCakes118 was found to be: Known bad.

Malicious Activity Summary

darkcomet rs4 discovery evasion persistence rat trojan

Darkcomet

Modifies WinLogon for persistence

Darkcomet family

Sets file to hidden

Loads dropped DLL

Executes dropped EXE

Checks computer location settings

Uses the VBS compiler for execution

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Program crash

Views/modifies file attributes

Modifies registry class

Suspicious use of AdjustPrivilegeToken

Suspicious use of WriteProcessMemory

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2024-10-30 02:17

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2024-10-30 02:17

Reported

2024-10-30 02:22

Platform

win7-20240708-en

Max time kernel

119s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7d90f7a105098f45110f71e7c5acf0d1_JaffaCakes118.exe"

Signatures

Darkcomet

trojan rat darkcomet

Darkcomet family

darkcomet

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2332 set thread context of 2340 N/A C:\Users\Admin\AppData\Local\Temp\7d90f7a105098f45110f71e7c5acf0d1_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727 C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\attrib.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\TASKMGR.EXE

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7d90f7a105098f45110f71e7c5acf0d1_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\My Application.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\TASKMGR.EXE N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: 34 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: 35 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TASKMGR.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2332 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\7d90f7a105098f45110f71e7c5acf0d1_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2332 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\7d90f7a105098f45110f71e7c5acf0d1_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2332 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\7d90f7a105098f45110f71e7c5acf0d1_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2332 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\7d90f7a105098f45110f71e7c5acf0d1_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2332 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\7d90f7a105098f45110f71e7c5acf0d1_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2332 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\7d90f7a105098f45110f71e7c5acf0d1_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2332 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\7d90f7a105098f45110f71e7c5acf0d1_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2332 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\7d90f7a105098f45110f71e7c5acf0d1_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2332 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\7d90f7a105098f45110f71e7c5acf0d1_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2332 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\7d90f7a105098f45110f71e7c5acf0d1_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2332 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\7d90f7a105098f45110f71e7c5acf0d1_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2332 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\7d90f7a105098f45110f71e7c5acf0d1_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2332 wrote to memory of 2340 N/A C:\Users\Admin\AppData\Local\Temp\7d90f7a105098f45110f71e7c5acf0d1_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2332 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\7d90f7a105098f45110f71e7c5acf0d1_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\My Application.exe
PID 2332 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\7d90f7a105098f45110f71e7c5acf0d1_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\My Application.exe
PID 2332 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\7d90f7a105098f45110f71e7c5acf0d1_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\My Application.exe
PID 2332 wrote to memory of 2748 N/A C:\Users\Admin\AppData\Local\Temp\7d90f7a105098f45110f71e7c5acf0d1_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\My Application.exe
PID 2340 wrote to memory of 2924 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2340 wrote to memory of 2924 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2340 wrote to memory of 2924 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2340 wrote to memory of 2924 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2340 wrote to memory of 2716 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2340 wrote to memory of 2716 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2340 wrote to memory of 2716 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2340 wrote to memory of 2716 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 2716 wrote to memory of 2572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2716 wrote to memory of 2572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2716 wrote to memory of 2572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2716 wrote to memory of 2572 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2924 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2924 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2924 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2924 wrote to memory of 2740 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 2340 wrote to memory of 1600 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Users\Admin\AppData\Local\Temp\TASKMGR.EXE
PID 2340 wrote to memory of 1600 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Users\Admin\AppData\Local\Temp\TASKMGR.EXE
PID 2340 wrote to memory of 1600 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Users\Admin\AppData\Local\Temp\TASKMGR.EXE
PID 2340 wrote to memory of 1600 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Users\Admin\AppData\Local\Temp\TASKMGR.EXE
PID 2340 wrote to memory of 3000 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
PID 2340 wrote to memory of 3000 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
PID 2340 wrote to memory of 3000 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
PID 2340 wrote to memory of 3000 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
PID 1600 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\TASKMGR.EXE C:\Windows\SysWOW64\WerFault.exe
PID 1600 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\TASKMGR.EXE C:\Windows\SysWOW64\WerFault.exe
PID 1600 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\TASKMGR.EXE C:\Windows\SysWOW64\WerFault.exe
PID 1600 wrote to memory of 276 N/A C:\Users\Admin\AppData\Local\Temp\TASKMGR.EXE C:\Windows\SysWOW64\WerFault.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7d90f7a105098f45110f71e7c5acf0d1_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\7d90f7a105098f45110f71e7c5acf0d1_JaffaCakes118.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Users\Admin\AppData\Local\Temp\My Application.exe

"C:\Users\Admin\AppData\Local\Temp\My Application.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h

C:\Users\Admin\AppData\Local\Temp\TASKMGR.EXE

"C:\Users\Admin\AppData\Local\Temp\TASKMGR.EXE"

C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe

"C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 1056

Network

Country Destination Domain Proto
US 8.8.8.8:53 automation.whatismyip.com udp
N/A 127.0.0.1:80 tcp

Files

memory/2332-0-0x0000000074F21000-0x0000000074F22000-memory.dmp

memory/2332-1-0x0000000074F20000-0x00000000754CB000-memory.dmp

memory/2332-2-0x0000000074F20000-0x00000000754CB000-memory.dmp

memory/2340-3-0x0000000000400000-0x0000000000531000-memory.dmp

memory/2340-8-0x0000000000400000-0x0000000000531000-memory.dmp

memory/2340-14-0x0000000000400000-0x0000000000531000-memory.dmp

memory/2340-17-0x0000000000400000-0x0000000000531000-memory.dmp

memory/2340-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2340-11-0x0000000000400000-0x0000000000531000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\My Application.exe

MD5 e031e5491425690d44aa78fd354369be
SHA1 476247963de5cb437a74b4e4998d7481300a6e4f
SHA256 fdbe83346b24ddb37c3d8ffb13c58e3249990f85afaf1bbf27cfcfb3096f095c
SHA512 f1d42d4a5ebb9983588922175b51f720988771239ab79566de32ae26cd649cfeee8085a11ea67a31aaebdee52ca17e54edb5f9c9e2ec3c4128da143747f0f373

memory/2340-23-0x0000000000280000-0x0000000000281000-memory.dmp

memory/2332-24-0x0000000074F20000-0x00000000754CB000-memory.dmp

memory/2340-10-0x0000000000400000-0x0000000000531000-memory.dmp

memory/2340-9-0x0000000000400000-0x0000000000531000-memory.dmp

memory/2340-15-0x0000000000400000-0x0000000000531000-memory.dmp

memory/2340-7-0x0000000000400000-0x0000000000531000-memory.dmp

memory/2340-6-0x0000000000400000-0x0000000000531000-memory.dmp

memory/2340-5-0x0000000000400000-0x0000000000531000-memory.dmp

\Users\Admin\AppData\Local\Temp\TASKMGR.EXE

MD5 89d3827b3bf71a62537e026285407a70
SHA1 90fa59f8f1312b1dca2b0a03ee9c5ba20ad4df6f
SHA256 ecdfb702317472c6e9e6c91fbbdd0488a8024fdf215961c15d0cacd91258ada1
SHA512 73a664fd9fa45a0d2d9c13017e2c3e762beaad85544550849855494548ebf6e8d62a4fd942e2aa61f9d1cac043774153be1d32957d095ef3b7d286bc8bed2943

memory/1600-34-0x0000000000960000-0x00000000009E6000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe

MD5 34aa912defa18c2c129f1e09d75c1d7e
SHA1 9c3046324657505a30ecd9b1fdb46c05bde7d470
SHA256 6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386
SHA512 d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

memory/2340-41-0x0000000000400000-0x0000000000531000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2024-10-30 02:17

Reported

2024-10-30 02:23

Platform

win10v2004-20241007-en

Max time kernel

148s

Max time network

152s

Command Line

"C:\Users\Admin\AppData\Local\Temp\7d90f7a105098f45110f71e7c5acf0d1_JaffaCakes118.exe"

Signatures

Darkcomet

trojan rat darkcomet

Darkcomet family

darkcomet

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Sets file to hidden

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\7d90f7a105098f45110f71e7c5acf0d1_JaffaCakes118.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 3092 set thread context of 3508 N/A C:\Users\Admin\AppData\Local\Temp\7d90f7a105098f45110f71e7c5acf0d1_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727 C:\Windows\SysWOW64\attrib.exe N/A
File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\attrib.exe N/A

Enumerates physical storage devices

Program crash

Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\WerFault.exe C:\Users\Admin\AppData\Local\Temp\TASKMGR.EXE

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\My Application.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\cmd.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\SysWOW64\attrib.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\7d90f7a105098f45110f71e7c5acf0d1_JaffaCakes118.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\TASKMGR.EXE N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: 34 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: 35 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: 36 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeDebugPrivilege N/A C:\Users\Admin\AppData\Local\Temp\TASKMGR.EXE N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 3092 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\7d90f7a105098f45110f71e7c5acf0d1_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3092 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\7d90f7a105098f45110f71e7c5acf0d1_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3092 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\7d90f7a105098f45110f71e7c5acf0d1_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3092 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\7d90f7a105098f45110f71e7c5acf0d1_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3092 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\7d90f7a105098f45110f71e7c5acf0d1_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3092 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\7d90f7a105098f45110f71e7c5acf0d1_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3092 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\7d90f7a105098f45110f71e7c5acf0d1_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3092 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\7d90f7a105098f45110f71e7c5acf0d1_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3092 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\7d90f7a105098f45110f71e7c5acf0d1_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3092 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\7d90f7a105098f45110f71e7c5acf0d1_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3092 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\7d90f7a105098f45110f71e7c5acf0d1_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3092 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\7d90f7a105098f45110f71e7c5acf0d1_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3092 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\7d90f7a105098f45110f71e7c5acf0d1_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3092 wrote to memory of 3508 N/A C:\Users\Admin\AppData\Local\Temp\7d90f7a105098f45110f71e7c5acf0d1_JaffaCakes118.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 3508 wrote to memory of 3424 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 3508 wrote to memory of 3424 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 3508 wrote to memory of 3424 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 3092 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\7d90f7a105098f45110f71e7c5acf0d1_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\My Application.exe
PID 3092 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\7d90f7a105098f45110f71e7c5acf0d1_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\My Application.exe
PID 3092 wrote to memory of 3856 N/A C:\Users\Admin\AppData\Local\Temp\7d90f7a105098f45110f71e7c5acf0d1_JaffaCakes118.exe C:\Users\Admin\AppData\Local\Temp\My Application.exe
PID 3508 wrote to memory of 664 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 3508 wrote to memory of 664 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 3508 wrote to memory of 664 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\SysWOW64\cmd.exe
PID 3508 wrote to memory of 404 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Users\Admin\AppData\Local\Temp\TASKMGR.EXE
PID 3508 wrote to memory of 404 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Users\Admin\AppData\Local\Temp\TASKMGR.EXE
PID 3508 wrote to memory of 404 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Users\Admin\AppData\Local\Temp\TASKMGR.EXE
PID 3424 wrote to memory of 220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3424 wrote to memory of 220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3424 wrote to memory of 220 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 664 wrote to memory of 928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 664 wrote to memory of 928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 664 wrote to memory of 928 N/A C:\Windows\SysWOW64\cmd.exe C:\Windows\SysWOW64\attrib.exe
PID 3508 wrote to memory of 512 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
PID 3508 wrote to memory of 512 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
PID 3508 wrote to memory of 512 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe

Views/modifies file attributes

evasion
Description Indicator Process Target
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A
N/A N/A C:\Windows\SysWOW64\attrib.exe N/A

Processes

C:\Users\Admin\AppData\Local\Temp\7d90f7a105098f45110f71e7c5acf0d1_JaffaCakes118.exe

"C:\Users\Admin\AppData\Local\Temp\7d90f7a105098f45110f71e7c5acf0d1_JaffaCakes118.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h

C:\Users\Admin\AppData\Local\Temp\My Application.exe

"C:\Users\Admin\AppData\Local\Temp\My Application.exe"

C:\Windows\SysWOW64\cmd.exe

"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h

C:\Users\Admin\AppData\Local\Temp\TASKMGR.EXE

"C:\Users\Admin\AppData\Local\Temp\TASKMGR.EXE"

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h

C:\Windows\SysWOW64\attrib.exe

attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h

C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe

"C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 404 -ip 404

C:\Windows\SysWOW64\WerFault.exe

C:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 1516

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.27.10:443 g.bing.com tcp
US 8.8.8.8:53 97.17.167.52.in-addr.arpa udp
US 8.8.8.8:53 10.27.171.150.in-addr.arpa udp
US 8.8.8.8:53 95.221.229.192.in-addr.arpa udp
US 8.8.8.8:53 23.159.190.20.in-addr.arpa udp
US 8.8.8.8:53 79.190.18.2.in-addr.arpa udp
US 8.8.8.8:53 automation.whatismyip.com udp
N/A 127.0.0.1:80 tcp
US 8.8.8.8:53 196.249.167.52.in-addr.arpa udp
US 8.8.8.8:53 149.220.183.52.in-addr.arpa udp
US 8.8.8.8:53 212.20.149.52.in-addr.arpa udp
US 8.8.8.8:53 171.39.242.20.in-addr.arpa udp
US 8.8.8.8:53 88.156.103.20.in-addr.arpa udp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp
US 150.171.28.10:443 tse1.mm.bing.net tcp

Files

memory/3092-0-0x0000000074932000-0x0000000074933000-memory.dmp

memory/3092-1-0x0000000074930000-0x0000000074EE1000-memory.dmp

memory/3092-2-0x0000000074930000-0x0000000074EE1000-memory.dmp

memory/3508-3-0x0000000000400000-0x0000000000531000-memory.dmp

memory/3508-4-0x0000000000400000-0x0000000000531000-memory.dmp

memory/3508-5-0x0000000000400000-0x0000000000531000-memory.dmp

memory/3508-6-0x0000000000400000-0x0000000000531000-memory.dmp

memory/3508-8-0x0000000000400000-0x0000000000531000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\My Application.exe

MD5 e031e5491425690d44aa78fd354369be
SHA1 476247963de5cb437a74b4e4998d7481300a6e4f
SHA256 fdbe83346b24ddb37c3d8ffb13c58e3249990f85afaf1bbf27cfcfb3096f095c
SHA512 f1d42d4a5ebb9983588922175b51f720988771239ab79566de32ae26cd649cfeee8085a11ea67a31aaebdee52ca17e54edb5f9c9e2ec3c4128da143747f0f373

C:\Users\Admin\AppData\Local\Temp\TASKMGR.EXE

MD5 89d3827b3bf71a62537e026285407a70
SHA1 90fa59f8f1312b1dca2b0a03ee9c5ba20ad4df6f
SHA256 ecdfb702317472c6e9e6c91fbbdd0488a8024fdf215961c15d0cacd91258ada1
SHA512 73a664fd9fa45a0d2d9c13017e2c3e762beaad85544550849855494548ebf6e8d62a4fd942e2aa61f9d1cac043774153be1d32957d095ef3b7d286bc8bed2943

memory/3092-31-0x0000000074930000-0x0000000074EE1000-memory.dmp

memory/404-34-0x0000000000D30000-0x0000000000DB6000-memory.dmp

memory/404-35-0x0000000005710000-0x0000000005CB4000-memory.dmp

memory/404-36-0x0000000005020000-0x00000000050BC000-memory.dmp

memory/404-37-0x0000000005200000-0x0000000005292000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe

MD5 d881de17aa8f2e2c08cbb7b265f928f9
SHA1 08936aebc87decf0af6e8eada191062b5e65ac2a
SHA256 b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0
SHA512 5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

memory/3508-96-0x0000000000400000-0x0000000000531000-memory.dmp