Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04-11-2024 05:27
Behavioral task
behavioral1
Sample
8f62b86a64556d62d3192bf4a1ad6660_JaffaCakes118.exe
Resource
win7-20241010-en
windows7-x64
23 signatures
150 seconds
General
-
Target
8f62b86a64556d62d3192bf4a1ad6660_JaffaCakes118.exe
-
Size
1.0MB
-
MD5
8f62b86a64556d62d3192bf4a1ad6660
-
SHA1
768b87bc641a42119f050c19a94493c908b310a7
-
SHA256
408b365717114ce6b406c8b1dfc8dbb49679a2c37758da2a399f2628346a8943
-
SHA512
131afb3f106e235649afec855e502212c255484b1b182493ae717300f65aec9f0c62ea5cc457cef6a616fac60ac8b0eb37403dc36aac95e8afc2b59796c11996
-
SSDEEP
24576:nFE//Tct4bOsyczmyM8rn8Hry+dFG3K0bbQolC:FSVyczo
Malware Config
Extracted
Family
darkcomet
Botnet
Guest
C2
larohabi.no-ip.org:1604
larohabi.no-ip.org:8080
larohabi.no-ip.org:100
127.0.0.1:
127.0.0.1:8080
larohabi.no-ip.org:1337
Mutex
DC_MUTEX-2LPNA5H
Attributes
-
InstallPath
IE Explorer\ieexp.exe
-
gencode
ikLmMzDk59K0
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
Windows Updater
Signatures
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
svzhost.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\IE Explorer\\ieexp.exe" svzhost.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
svzhost.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" svzhost.exe -
Drops file in Drivers directory 4 IoCs
Processes:
8f62b86a64556d62d3192bf4a1ad6660_JaffaCakes118.exesvzhost.exeieexp.exesvzhost.exedescription ioc Process File opened for modification C:\Windows\system32\drivers\etc\hosts 8f62b86a64556d62d3192bf4a1ad6660_JaffaCakes118.exe File opened for modification C:\Windows\system32\drivers\etc\hosts svzhost.exe File opened for modification C:\Windows\system32\drivers\etc\hosts ieexp.exe File opened for modification C:\Windows\system32\drivers\etc\hosts svzhost.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid Process 4992 attrib.exe 4084 attrib.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
svzhost.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation svzhost.exe -
Executes dropped EXE 7 IoCs
Processes:
svzhost.exesvzhost.exeieexp.exesvzhost.exesvzhost.exesvzhost.exesvzhost.exepid Process 4396 svzhost.exe 4864 svzhost.exe 3264 ieexp.exe 3068 svzhost.exe 4972 svzhost.exe 1200 svzhost.exe 1332 svzhost.exe -
Adds Run key to start application 2 TTPs 5 IoCs
Processes:
svzhost.exe8f62b86a64556d62d3192bf4a1ad6660_JaffaCakes118.exesvzhost.exeieexp.exesvzhost.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Users\\Admin\\AppData\\Roaming\\svzhost.exe" svzhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Users\\Admin\\AppData\\Roaming\\svzhost.exe" 8f62b86a64556d62d3192bf4a1ad6660_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Updater = "C:\\Windows\\system32\\IE Explorer\\ieexp.exe" svzhost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Users\\Admin\\AppData\\Roaming\\svzhost.exe" ieexp.exe Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\Windows Updater = "C:\\Windows\\system32\\IE Explorer\\ieexp.exe" svzhost.exe -
Enumerates connected drives 3 TTPs 64 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
svzhost.exeieexp.exesvzhost.exe8f62b86a64556d62d3192bf4a1ad6660_JaffaCakes118.exedescription ioc Process File opened (read-only) \??\q: svzhost.exe File opened (read-only) \??\u: svzhost.exe File opened (read-only) \??\j: ieexp.exe File opened (read-only) \??\l: ieexp.exe File opened (read-only) \??\w: svzhost.exe File opened (read-only) \??\x: 8f62b86a64556d62d3192bf4a1ad6660_JaffaCakes118.exe File opened (read-only) \??\l: svzhost.exe File opened (read-only) \??\t: ieexp.exe File opened (read-only) \??\x: ieexp.exe File opened (read-only) \??\p: svzhost.exe File opened (read-only) \??\x: svzhost.exe File opened (read-only) \??\w: svzhost.exe File opened (read-only) \??\b: ieexp.exe File opened (read-only) \??\q: ieexp.exe File opened (read-only) \??\e: svzhost.exe File opened (read-only) \??\k: svzhost.exe File opened (read-only) \??\h: svzhost.exe File opened (read-only) \??\e: 8f62b86a64556d62d3192bf4a1ad6660_JaffaCakes118.exe File opened (read-only) \??\k: 8f62b86a64556d62d3192bf4a1ad6660_JaffaCakes118.exe File opened (read-only) \??\t: 8f62b86a64556d62d3192bf4a1ad6660_JaffaCakes118.exe File opened (read-only) \??\j: svzhost.exe File opened (read-only) \??\s: ieexp.exe File opened (read-only) \??\z: ieexp.exe File opened (read-only) \??\m: ieexp.exe File opened (read-only) \??\v: ieexp.exe File opened (read-only) \??\l: 8f62b86a64556d62d3192bf4a1ad6660_JaffaCakes118.exe File opened (read-only) \??\y: 8f62b86a64556d62d3192bf4a1ad6660_JaffaCakes118.exe File opened (read-only) \??\z: 8f62b86a64556d62d3192bf4a1ad6660_JaffaCakes118.exe File opened (read-only) \??\p: svzhost.exe File opened (read-only) \??\x: svzhost.exe File opened (read-only) \??\h: ieexp.exe File opened (read-only) \??\s: svzhost.exe File opened (read-only) \??\m: 8f62b86a64556d62d3192bf4a1ad6660_JaffaCakes118.exe File opened (read-only) \??\y: ieexp.exe File opened (read-only) \??\k: ieexp.exe File opened (read-only) \??\o: ieexp.exe File opened (read-only) \??\v: svzhost.exe File opened (read-only) \??\z: svzhost.exe File opened (read-only) \??\w: 8f62b86a64556d62d3192bf4a1ad6660_JaffaCakes118.exe File opened (read-only) \??\s: svzhost.exe File opened (read-only) \??\z: svzhost.exe File opened (read-only) \??\l: svzhost.exe File opened (read-only) \??\o: svzhost.exe File opened (read-only) \??\q: svzhost.exe File opened (read-only) \??\y: svzhost.exe File opened (read-only) \??\r: ieexp.exe File opened (read-only) \??\a: 8f62b86a64556d62d3192bf4a1ad6660_JaffaCakes118.exe File opened (read-only) \??\j: 8f62b86a64556d62d3192bf4a1ad6660_JaffaCakes118.exe File opened (read-only) \??\n: 8f62b86a64556d62d3192bf4a1ad6660_JaffaCakes118.exe File opened (read-only) \??\o: 8f62b86a64556d62d3192bf4a1ad6660_JaffaCakes118.exe File opened (read-only) \??\e: svzhost.exe File opened (read-only) \??\k: svzhost.exe File opened (read-only) \??\w: ieexp.exe File opened (read-only) \??\b: 8f62b86a64556d62d3192bf4a1ad6660_JaffaCakes118.exe File opened (read-only) \??\b: svzhost.exe File opened (read-only) \??\m: svzhost.exe File opened (read-only) \??\b: svzhost.exe File opened (read-only) \??\i: svzhost.exe File opened (read-only) \??\m: svzhost.exe File opened (read-only) \??\u: 8f62b86a64556d62d3192bf4a1ad6660_JaffaCakes118.exe File opened (read-only) \??\e: ieexp.exe File opened (read-only) \??\n: ieexp.exe File opened (read-only) \??\u: ieexp.exe File opened (read-only) \??\q: 8f62b86a64556d62d3192bf4a1ad6660_JaffaCakes118.exe -
AutoIT Executable 25 IoCs
AutoIT scripts compiled to PE executables.
Processes:
resource yara_rule behavioral2/memory/4448-82-0x0000000000400000-0x00000000004E5000-memory.dmp autoit_exe behavioral2/memory/4448-85-0x0000000000400000-0x00000000004E5000-memory.dmp autoit_exe behavioral2/memory/4396-97-0x0000000000400000-0x00000000004E5000-memory.dmp autoit_exe behavioral2/memory/4396-112-0x0000000000400000-0x00000000004E5000-memory.dmp autoit_exe behavioral2/memory/3264-113-0x0000000000400000-0x00000000004E5000-memory.dmp autoit_exe behavioral2/memory/3068-119-0x0000000000400000-0x00000000004E5000-memory.dmp autoit_exe behavioral2/memory/3068-120-0x0000000000400000-0x00000000004E5000-memory.dmp autoit_exe behavioral2/memory/4396-124-0x0000000000400000-0x00000000004E5000-memory.dmp autoit_exe behavioral2/memory/3068-125-0x0000000000400000-0x00000000004E5000-memory.dmp autoit_exe behavioral2/memory/4396-128-0x0000000000400000-0x00000000004E5000-memory.dmp autoit_exe behavioral2/memory/3068-129-0x0000000000400000-0x00000000004E5000-memory.dmp autoit_exe behavioral2/memory/4396-132-0x0000000000400000-0x00000000004E5000-memory.dmp autoit_exe behavioral2/memory/3068-133-0x0000000000400000-0x00000000004E5000-memory.dmp autoit_exe behavioral2/memory/4396-136-0x0000000000400000-0x00000000004E5000-memory.dmp autoit_exe behavioral2/memory/3068-137-0x0000000000400000-0x00000000004E5000-memory.dmp autoit_exe behavioral2/memory/4396-140-0x0000000000400000-0x00000000004E5000-memory.dmp autoit_exe behavioral2/memory/3068-141-0x0000000000400000-0x00000000004E5000-memory.dmp autoit_exe behavioral2/memory/4396-144-0x0000000000400000-0x00000000004E5000-memory.dmp autoit_exe behavioral2/memory/3068-145-0x0000000000400000-0x00000000004E5000-memory.dmp autoit_exe behavioral2/memory/4396-148-0x0000000000400000-0x00000000004E5000-memory.dmp autoit_exe behavioral2/memory/3068-149-0x0000000000400000-0x00000000004E5000-memory.dmp autoit_exe behavioral2/memory/4396-152-0x0000000000400000-0x00000000004E5000-memory.dmp autoit_exe behavioral2/memory/3068-153-0x0000000000400000-0x00000000004E5000-memory.dmp autoit_exe behavioral2/memory/4396-156-0x0000000000400000-0x00000000004E5000-memory.dmp autoit_exe behavioral2/memory/3068-157-0x0000000000400000-0x00000000004E5000-memory.dmp autoit_exe -
Drops file in System32 directory 3 IoCs
Processes:
svzhost.exedescription ioc Process File created C:\Windows\SysWOW64\IE Explorer\ieexp.exe svzhost.exe File opened for modification C:\Windows\SysWOW64\IE Explorer\ieexp.exe svzhost.exe File opened for modification C:\Windows\SysWOW64\IE Explorer\ svzhost.exe -
Suspicious use of SetThreadContext 4 IoCs
Processes:
svzhost.exesvzhost.exedescription pid Process procid_target PID 4396 set thread context of 4864 4396 svzhost.exe 101 PID 3068 set thread context of 4972 3068 svzhost.exe 127 PID 4396 set thread context of 1200 4396 svzhost.exe 130 PID 3068 set thread context of 1332 3068 svzhost.exe 133 -
Processes:
resource yara_rule behavioral2/memory/4448-0-0x0000000000400000-0x00000000004E5000-memory.dmp upx behavioral2/files/0x0007000000023c89-8.dat upx behavioral2/memory/4864-19-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral2/memory/4864-17-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral2/memory/4864-20-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral2/memory/4864-21-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral2/memory/4448-82-0x0000000000400000-0x00000000004E5000-memory.dmp upx behavioral2/memory/4448-85-0x0000000000400000-0x00000000004E5000-memory.dmp upx behavioral2/memory/4864-89-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral2/memory/4396-97-0x0000000000400000-0x00000000004E5000-memory.dmp upx behavioral2/memory/4972-99-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral2/memory/4972-100-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral2/memory/4972-101-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral2/memory/4972-105-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral2/memory/4972-104-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral2/memory/4972-102-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral2/memory/1200-106-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1200-108-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1200-109-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1200-111-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/1200-110-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4396-112-0x0000000000400000-0x00000000004E5000-memory.dmp upx behavioral2/memory/3264-113-0x0000000000400000-0x00000000004E5000-memory.dmp upx behavioral2/memory/1332-118-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/3068-119-0x0000000000400000-0x00000000004E5000-memory.dmp upx behavioral2/memory/3068-120-0x0000000000400000-0x00000000004E5000-memory.dmp upx behavioral2/memory/4972-121-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral2/memory/4972-122-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral2/memory/1200-123-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4396-124-0x0000000000400000-0x00000000004E5000-memory.dmp upx behavioral2/memory/3068-125-0x0000000000400000-0x00000000004E5000-memory.dmp upx behavioral2/memory/4972-126-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral2/memory/1200-127-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4396-128-0x0000000000400000-0x00000000004E5000-memory.dmp upx behavioral2/memory/3068-129-0x0000000000400000-0x00000000004E5000-memory.dmp upx behavioral2/memory/4972-130-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral2/memory/4396-132-0x0000000000400000-0x00000000004E5000-memory.dmp upx behavioral2/memory/3068-133-0x0000000000400000-0x00000000004E5000-memory.dmp upx behavioral2/memory/4972-134-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral2/memory/1200-135-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4396-136-0x0000000000400000-0x00000000004E5000-memory.dmp upx behavioral2/memory/3068-137-0x0000000000400000-0x00000000004E5000-memory.dmp upx behavioral2/memory/4972-138-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral2/memory/1200-139-0x0000000000400000-0x0000000000421000-memory.dmp upx behavioral2/memory/4396-140-0x0000000000400000-0x00000000004E5000-memory.dmp upx behavioral2/memory/3068-141-0x0000000000400000-0x00000000004E5000-memory.dmp upx behavioral2/memory/4972-142-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral2/memory/4396-144-0x0000000000400000-0x00000000004E5000-memory.dmp upx behavioral2/memory/3068-145-0x0000000000400000-0x00000000004E5000-memory.dmp upx behavioral2/memory/4972-146-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral2/memory/4396-148-0x0000000000400000-0x00000000004E5000-memory.dmp upx behavioral2/memory/3068-149-0x0000000000400000-0x00000000004E5000-memory.dmp upx behavioral2/memory/4972-150-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral2/memory/4396-152-0x0000000000400000-0x00000000004E5000-memory.dmp upx behavioral2/memory/3068-153-0x0000000000400000-0x00000000004E5000-memory.dmp upx behavioral2/memory/4972-154-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral2/memory/4396-156-0x0000000000400000-0x00000000004E5000-memory.dmp upx behavioral2/memory/3068-157-0x0000000000400000-0x00000000004E5000-memory.dmp upx behavioral2/memory/4972-158-0x0000000000400000-0x00000000004C7000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 28 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
ipconfig.exeipconfig.exesvzhost.execmd.exeieexp.exeipconfig.exesvzhost.execmd.exeipconfig.exeattrib.exe8f62b86a64556d62d3192bf4a1ad6660_JaffaCakes118.execmd.exesvzhost.execmd.execmd.exeipconfig.exeipconfig.exenotepad.exenotepad.execmd.execmd.exeipconfig.execmd.execmd.execmd.exesvzhost.exeattrib.exeipconfig.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ipconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ipconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svzhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ieexp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ipconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svzhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ipconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 8f62b86a64556d62d3192bf4a1ad6660_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svzhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ipconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ipconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ipconfig.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svzhost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language ipconfig.exe -
Gathers network information 2 TTPs 8 IoCs
Uses commandline utility to view network configuration.
Processes:
ipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exeipconfig.exepid Process 1400 ipconfig.exe 4984 ipconfig.exe 4144 ipconfig.exe 2960 ipconfig.exe 1232 ipconfig.exe 2456 ipconfig.exe 4652 ipconfig.exe 1496 ipconfig.exe -
Modifies registry class 1 IoCs
Processes:
svzhost.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ svzhost.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
svzhost.exesvzhost.exepid Process 4396 svzhost.exe 4396 svzhost.exe 4396 svzhost.exe 4396 svzhost.exe 4396 svzhost.exe 4396 svzhost.exe 4396 svzhost.exe 4396 svzhost.exe 4396 svzhost.exe 4396 svzhost.exe 4396 svzhost.exe 4396 svzhost.exe 4396 svzhost.exe 4396 svzhost.exe 4396 svzhost.exe 4396 svzhost.exe 4396 svzhost.exe 4396 svzhost.exe 4396 svzhost.exe 4396 svzhost.exe 4396 svzhost.exe 4396 svzhost.exe 4396 svzhost.exe 4396 svzhost.exe 4396 svzhost.exe 4396 svzhost.exe 3068 svzhost.exe 3068 svzhost.exe 3068 svzhost.exe 3068 svzhost.exe 3068 svzhost.exe 3068 svzhost.exe 3068 svzhost.exe 3068 svzhost.exe 3068 svzhost.exe 3068 svzhost.exe 4396 svzhost.exe 4396 svzhost.exe 4396 svzhost.exe 4396 svzhost.exe 4396 svzhost.exe 4396 svzhost.exe 4396 svzhost.exe 4396 svzhost.exe 4396 svzhost.exe 4396 svzhost.exe 4396 svzhost.exe 4396 svzhost.exe 4396 svzhost.exe 4396 svzhost.exe 3068 svzhost.exe 3068 svzhost.exe 3068 svzhost.exe 3068 svzhost.exe 3068 svzhost.exe 3068 svzhost.exe 3068 svzhost.exe 3068 svzhost.exe 3068 svzhost.exe 3068 svzhost.exe 3068 svzhost.exe 3068 svzhost.exe 3068 svzhost.exe 3068 svzhost.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
svzhost.exepid Process 4972 svzhost.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
svzhost.exesvzhost.exedescription pid Process Token: SeIncreaseQuotaPrivilege 4864 svzhost.exe Token: SeSecurityPrivilege 4864 svzhost.exe Token: SeTakeOwnershipPrivilege 4864 svzhost.exe Token: SeLoadDriverPrivilege 4864 svzhost.exe Token: SeSystemProfilePrivilege 4864 svzhost.exe Token: SeSystemtimePrivilege 4864 svzhost.exe Token: SeProfSingleProcessPrivilege 4864 svzhost.exe Token: SeIncBasePriorityPrivilege 4864 svzhost.exe Token: SeCreatePagefilePrivilege 4864 svzhost.exe Token: SeBackupPrivilege 4864 svzhost.exe Token: SeRestorePrivilege 4864 svzhost.exe Token: SeShutdownPrivilege 4864 svzhost.exe Token: SeDebugPrivilege 4864 svzhost.exe Token: SeSystemEnvironmentPrivilege 4864 svzhost.exe Token: SeChangeNotifyPrivilege 4864 svzhost.exe Token: SeRemoteShutdownPrivilege 4864 svzhost.exe Token: SeUndockPrivilege 4864 svzhost.exe Token: SeManageVolumePrivilege 4864 svzhost.exe Token: SeImpersonatePrivilege 4864 svzhost.exe Token: SeCreateGlobalPrivilege 4864 svzhost.exe Token: 33 4864 svzhost.exe Token: 34 4864 svzhost.exe Token: 35 4864 svzhost.exe Token: 36 4864 svzhost.exe Token: SeIncreaseQuotaPrivilege 4972 svzhost.exe Token: SeSecurityPrivilege 4972 svzhost.exe Token: SeTakeOwnershipPrivilege 4972 svzhost.exe Token: SeLoadDriverPrivilege 4972 svzhost.exe Token: SeSystemProfilePrivilege 4972 svzhost.exe Token: SeSystemtimePrivilege 4972 svzhost.exe Token: SeProfSingleProcessPrivilege 4972 svzhost.exe Token: SeIncBasePriorityPrivilege 4972 svzhost.exe Token: SeCreatePagefilePrivilege 4972 svzhost.exe Token: SeBackupPrivilege 4972 svzhost.exe Token: SeRestorePrivilege 4972 svzhost.exe Token: SeShutdownPrivilege 4972 svzhost.exe Token: SeDebugPrivilege 4972 svzhost.exe Token: SeSystemEnvironmentPrivilege 4972 svzhost.exe Token: SeChangeNotifyPrivilege 4972 svzhost.exe Token: SeRemoteShutdownPrivilege 4972 svzhost.exe Token: SeUndockPrivilege 4972 svzhost.exe Token: SeManageVolumePrivilege 4972 svzhost.exe Token: SeImpersonatePrivilege 4972 svzhost.exe Token: SeCreateGlobalPrivilege 4972 svzhost.exe Token: 33 4972 svzhost.exe Token: 34 4972 svzhost.exe Token: 35 4972 svzhost.exe Token: 36 4972 svzhost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
svzhost.exepid Process 4972 svzhost.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
8f62b86a64556d62d3192bf4a1ad6660_JaffaCakes118.execmd.execmd.exesvzhost.execmd.execmd.exesvzhost.execmd.execmd.exedescription pid Process procid_target PID 4448 wrote to memory of 2676 4448 8f62b86a64556d62d3192bf4a1ad6660_JaffaCakes118.exe 87 PID 4448 wrote to memory of 2676 4448 8f62b86a64556d62d3192bf4a1ad6660_JaffaCakes118.exe 87 PID 4448 wrote to memory of 2676 4448 8f62b86a64556d62d3192bf4a1ad6660_JaffaCakes118.exe 87 PID 2676 wrote to memory of 4144 2676 cmd.exe 89 PID 2676 wrote to memory of 4144 2676 cmd.exe 89 PID 2676 wrote to memory of 4144 2676 cmd.exe 89 PID 4448 wrote to memory of 4244 4448 8f62b86a64556d62d3192bf4a1ad6660_JaffaCakes118.exe 90 PID 4448 wrote to memory of 4244 4448 8f62b86a64556d62d3192bf4a1ad6660_JaffaCakes118.exe 90 PID 4448 wrote to memory of 4244 4448 8f62b86a64556d62d3192bf4a1ad6660_JaffaCakes118.exe 90 PID 4244 wrote to memory of 2960 4244 cmd.exe 92 PID 4244 wrote to memory of 2960 4244 cmd.exe 92 PID 4244 wrote to memory of 2960 4244 cmd.exe 92 PID 4448 wrote to memory of 4396 4448 8f62b86a64556d62d3192bf4a1ad6660_JaffaCakes118.exe 93 PID 4448 wrote to memory of 4396 4448 8f62b86a64556d62d3192bf4a1ad6660_JaffaCakes118.exe 93 PID 4448 wrote to memory of 4396 4448 8f62b86a64556d62d3192bf4a1ad6660_JaffaCakes118.exe 93 PID 4396 wrote to memory of 3256 4396 svzhost.exe 95 PID 4396 wrote to memory of 3256 4396 svzhost.exe 95 PID 4396 wrote to memory of 3256 4396 svzhost.exe 95 PID 3256 wrote to memory of 1232 3256 cmd.exe 97 PID 3256 wrote to memory of 1232 3256 cmd.exe 97 PID 3256 wrote to memory of 1232 3256 cmd.exe 97 PID 4396 wrote to memory of 1528 4396 svzhost.exe 98 PID 4396 wrote to memory of 1528 4396 svzhost.exe 98 PID 4396 wrote to memory of 1528 4396 svzhost.exe 98 PID 1528 wrote to memory of 2456 1528 cmd.exe 100 PID 1528 wrote to memory of 2456 1528 cmd.exe 100 PID 1528 wrote to memory of 2456 1528 cmd.exe 100 PID 4396 wrote to memory of 4864 4396 svzhost.exe 101 PID 4396 wrote to memory of 4864 4396 svzhost.exe 101 PID 4396 wrote to memory of 4864 4396 svzhost.exe 101 PID 4396 wrote to memory of 4864 4396 svzhost.exe 101 PID 4396 wrote to memory of 4864 4396 svzhost.exe 101 PID 4864 wrote to memory of 3684 4864 svzhost.exe 102 PID 4864 wrote to memory of 3684 4864 svzhost.exe 102 PID 4864 wrote to memory of 3684 4864 svzhost.exe 102 PID 4864 wrote to memory of 4928 4864 svzhost.exe 104 PID 4864 wrote to memory of 4928 4864 svzhost.exe 104 PID 4864 wrote to memory of 4928 4864 svzhost.exe 104 PID 4864 wrote to memory of 2544 4864 svzhost.exe 105 PID 4864 wrote to memory of 2544 4864 svzhost.exe 105 PID 4864 wrote to memory of 2544 4864 svzhost.exe 105 PID 4864 wrote to memory of 2544 4864 svzhost.exe 105 PID 4864 wrote to memory of 2544 4864 svzhost.exe 105 PID 4864 wrote to memory of 2544 4864 svzhost.exe 105 PID 4864 wrote to memory of 2544 4864 svzhost.exe 105 PID 4864 wrote to memory of 2544 4864 svzhost.exe 105 PID 4864 wrote to memory of 2544 4864 svzhost.exe 105 PID 4864 wrote to memory of 2544 4864 svzhost.exe 105 PID 4864 wrote to memory of 2544 4864 svzhost.exe 105 PID 4864 wrote to memory of 2544 4864 svzhost.exe 105 PID 4864 wrote to memory of 2544 4864 svzhost.exe 105 PID 4864 wrote to memory of 2544 4864 svzhost.exe 105 PID 4864 wrote to memory of 2544 4864 svzhost.exe 105 PID 4864 wrote to memory of 2544 4864 svzhost.exe 105 PID 4864 wrote to memory of 2544 4864 svzhost.exe 105 PID 3684 wrote to memory of 4992 3684 cmd.exe 107 PID 3684 wrote to memory of 4992 3684 cmd.exe 107 PID 3684 wrote to memory of 4992 3684 cmd.exe 107 PID 4928 wrote to memory of 4084 4928 cmd.exe 108 PID 4928 wrote to memory of 4084 4928 cmd.exe 108 PID 4928 wrote to memory of 4084 4928 cmd.exe 108 PID 4864 wrote to memory of 3264 4864 svzhost.exe 111 PID 4864 wrote to memory of 3264 4864 svzhost.exe 111 PID 4864 wrote to memory of 3264 4864 svzhost.exe 111 -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid Process 4992 attrib.exe 4084 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\8f62b86a64556d62d3192bf4a1ad6660_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\8f62b86a64556d62d3192bf4a1ad6660_JaffaCakes118.exe"1⤵
- Drops file in Drivers directory
- Adds Run key to start application
- Enumerates connected drives
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4448 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C ipconfig /flushdns2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns3⤵
- System Location Discovery: System Language Discovery
- Gathers network information
PID:4144
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C ipconfig /flushdns2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4244 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns3⤵
- System Location Discovery: System Language Discovery
- Gathers network information
PID:2960
-
-
-
C:\Users\Admin\AppData\Roaming\svzhost.exeC:\Users\Admin\AppData\Roaming\svzhost.exe2⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:4396 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C ipconfig /flushdns3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3256 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns4⤵
- System Location Discovery: System Language Discovery
- Gathers network information
PID:1232
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C ipconfig /flushdns3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1528 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns4⤵
- System Location Discovery: System Language Discovery
- Gathers network information
PID:2456
-
-
-
C:\Users\Admin\AppData\Roaming\svzhost.exe"C:\Users\Admin\AppData\Roaming\svzhost.exe"3⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4864 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\svzhost.exe" +s +h4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3684 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Roaming\svzhost.exe" +s +h5⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:4992
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming" +s +h4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4928 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Roaming" +s +h5⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:4084
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad4⤵
- System Location Discovery: System Language Discovery
PID:2544
-
-
C:\Windows\SysWOW64\IE Explorer\ieexp.exe"C:\Windows\system32\IE Explorer\ieexp.exe"4⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Adds Run key to start application
- Enumerates connected drives
- System Location Discovery: System Language Discovery
PID:3264 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C ipconfig /flushdns5⤵
- System Location Discovery: System Language Discovery
PID:2552 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns6⤵
- System Location Discovery: System Language Discovery
- Gathers network information
PID:4652
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C ipconfig /flushdns5⤵
- System Location Discovery: System Language Discovery
PID:1384 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns6⤵
- System Location Discovery: System Language Discovery
- Gathers network information
PID:1496
-
-
-
C:\Users\Admin\AppData\Roaming\svzhost.exeC:\Users\Admin\AppData\Roaming\svzhost.exe5⤵
- Drops file in Drivers directory
- Executes dropped EXE
- Enumerates connected drives
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
PID:3068 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C ipconfig /flushdns6⤵
- System Location Discovery: System Language Discovery
PID:1836 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns7⤵
- System Location Discovery: System Language Discovery
- Gathers network information
PID:1400
-
-
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /C ipconfig /flushdns6⤵
- System Location Discovery: System Language Discovery
PID:4948 -
C:\Windows\SysWOW64\ipconfig.exeipconfig /flushdns7⤵
- System Location Discovery: System Language Discovery
- Gathers network information
PID:4984
-
-
-
C:\Users\Admin\AppData\Roaming\svzhost.exe"C:\Users\Admin\AppData\Roaming\svzhost.exe"6⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4972 -
C:\Windows\SysWOW64\notepad.exenotepad7⤵
- System Location Discovery: System Language Discovery
PID:856
-
-
-
C:\Users\Admin\AppData\Roaming\svzhost.exe"C:\Users\Admin\AppData\Roaming\svzhost.exe"6⤵
- Executes dropped EXE
PID:1332
-
-
-
-
-
C:\Users\Admin\AppData\Roaming\svzhost.exe"C:\Users\Admin\AppData\Roaming\svzhost.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
PID:1200
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD58f62b86a64556d62d3192bf4a1ad6660
SHA1768b87bc641a42119f050c19a94493c908b310a7
SHA256408b365717114ce6b406c8b1dfc8dbb49679a2c37758da2a399f2628346a8943
SHA512131afb3f106e235649afec855e502212c255484b1b182493ae717300f65aec9f0c62ea5cc457cef6a616fac60ac8b0eb37403dc36aac95e8afc2b59796c11996
-
Filesize
2KB
MD59eb8a20ed2717428c865f5ab293e7aea
SHA1c858b3a85e397d75184dd14639b8e1a79d71dc15
SHA2568c89198ad5ee278f57d3e7d2cdbccc54502193a9e49201088dda31d12f0af89b
SHA51278d46e5a0596dafab30ed9caa860a1a54a6d5dd17ecbe62fdf9dd9cfa99f9370e51d4bba8c11beff5d7ad37464d2f8182baefb42dcbdc96227c643289ac9f44b
-
Filesize
2KB
MD5b37da08fe26a67ae87e7fec64b8e2fb5
SHA1dc357e227346e387e8c7c0f0df7bff76c30feb96
SHA2565dbe906f83e0c0360b16d47d7d52a9d933437e9c8f4c28553466ec4600dc5f25
SHA512d87dc0bdbc17bd1d211df13c68c96a9fdab4255f18ff61e9e92b8039fc15468b7cdbd83264d71b8a86666dfbf4e54db359284d53bc097dc2f974ca2e962e0cf2
-
Filesize
2KB
MD5e869cc0a427df276207f96c344b9507a
SHA166450d2e737329fe5957e83abed2b31d2b47de82
SHA256a2647ed738d5ae1f6421652f2774bc8938528b64b85abf9393927f014e40209a
SHA5124647e45e8b660d7c720492dfed186b807f8f4f6f2e355ab0510de45e92a615f8e1d73fa1fce227065e500c2c46cde546250c9ba24809116bac1fba5a449d7448