Analysis
-
max time kernel
150s -
max time network
121s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
07-12-2024 10:26
Static task
static1
Behavioral task
behavioral1
Sample
d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe
Resource
win7-20240903-en
General
-
Target
d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
d1f834a0abe1adad23eb99e9d877e8f6
-
SHA1
06047d238c3e5ca4a56a776e03148b4aba5ec842
-
SHA256
1f665d378d61b7030eca36e761d508c5e98197d54c4b4501ea975a6682b134b2
-
SHA512
8d2c9ad9ebf47c75d6b72e95875d00428ca5476ec74dbd536a2d67af1b7ac2ec83f60cc08dbe1f8f59d2e6326b26f227c732321e744a9b666ec67fa0640e4ac5
-
SSDEEP
12288:Na6snd3as6YqYN3/Ry/NdMvQH5M8bKUA0i3PFbxNrOwcxDdArCbnIc4N/HbkGgL/:NviYDCNN5eDdArCjm0P48HZyNwcphW
Malware Config
Extracted
darkcomet
Crypted
jesusmanwoohoo.no-ip.org:1604
DC_MUTEX-EW8ANM5
-
gencode
SDj8iuYh55Bf
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Darkcomet family
-
Executes dropped EXE 2 IoCs
pid Process 2716 MTvEmAGhp.exe 1692 MTvEmAGhp.exe -
Loads dropped DLL 4 IoCs
pid Process 2068 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 2068 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 2596 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 2596 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Roaming\\Microphonehelper.exe" MTvEmAGhp.exe Set value (str) \REGISTRY\USER\S-1-5-21-1846800975-3917212583-2893086201-1000\Software\Microsoft\Windows\CurrentVersion\Run\Java = "C:\\Users\\Admin\\AppData\\Roaming\\Microphonehelper.exe" MTvEmAGhp.exe -
Suspicious use of SetThreadContext 3 IoCs
description pid Process procid_target PID 2068 set thread context of 680 2068 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 31 PID 1716 set thread context of 2740 1716 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 34 PID 2596 set thread context of 2664 2596 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 37 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MTvEmAGhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language dw20.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language MTvEmAGhp.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 2068 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 2068 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 2068 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 1716 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 1716 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 2068 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 2068 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 1716 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 1716 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 2068 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 2068 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 1716 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 1716 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 2068 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 2068 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 1716 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 1716 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 2068 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 2068 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 1716 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 1716 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 2068 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 2068 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 1716 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 1716 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 2068 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 2068 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 1716 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 1716 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 2068 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 2068 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 1716 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 1716 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 2068 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 2068 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 1716 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 1716 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 2068 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 2068 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 1716 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 1716 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 2068 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 2068 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 1716 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 1716 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 2068 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 2068 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 1716 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 1716 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 2068 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 2068 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 1716 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 1716 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 2068 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 2068 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 2068 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 2596 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 2596 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 2068 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 2068 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 2596 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 2596 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 2068 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 2068 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeDebugPrivilege 2068 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 680 vbc.exe Token: SeSecurityPrivilege 680 vbc.exe Token: SeTakeOwnershipPrivilege 680 vbc.exe Token: SeLoadDriverPrivilege 680 vbc.exe Token: SeSystemProfilePrivilege 680 vbc.exe Token: SeSystemtimePrivilege 680 vbc.exe Token: SeProfSingleProcessPrivilege 680 vbc.exe Token: SeIncBasePriorityPrivilege 680 vbc.exe Token: SeCreatePagefilePrivilege 680 vbc.exe Token: SeBackupPrivilege 680 vbc.exe Token: SeRestorePrivilege 680 vbc.exe Token: SeShutdownPrivilege 680 vbc.exe Token: SeDebugPrivilege 680 vbc.exe Token: SeSystemEnvironmentPrivilege 680 vbc.exe Token: SeChangeNotifyPrivilege 680 vbc.exe Token: SeRemoteShutdownPrivilege 680 vbc.exe Token: SeUndockPrivilege 680 vbc.exe Token: SeManageVolumePrivilege 680 vbc.exe Token: SeImpersonatePrivilege 680 vbc.exe Token: SeCreateGlobalPrivilege 680 vbc.exe Token: 33 680 vbc.exe Token: 34 680 vbc.exe Token: 35 680 vbc.exe Token: SeDebugPrivilege 1716 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2740 vbc.exe Token: SeSecurityPrivilege 2740 vbc.exe Token: SeTakeOwnershipPrivilege 2740 vbc.exe Token: SeLoadDriverPrivilege 2740 vbc.exe Token: SeSystemProfilePrivilege 2740 vbc.exe Token: SeSystemtimePrivilege 2740 vbc.exe Token: SeProfSingleProcessPrivilege 2740 vbc.exe Token: SeIncBasePriorityPrivilege 2740 vbc.exe Token: SeCreatePagefilePrivilege 2740 vbc.exe Token: SeBackupPrivilege 2740 vbc.exe Token: SeRestorePrivilege 2740 vbc.exe Token: SeShutdownPrivilege 2740 vbc.exe Token: SeDebugPrivilege 2740 vbc.exe Token: SeSystemEnvironmentPrivilege 2740 vbc.exe Token: SeChangeNotifyPrivilege 2740 vbc.exe Token: SeRemoteShutdownPrivilege 2740 vbc.exe Token: SeUndockPrivilege 2740 vbc.exe Token: SeManageVolumePrivilege 2740 vbc.exe Token: SeImpersonatePrivilege 2740 vbc.exe Token: SeCreateGlobalPrivilege 2740 vbc.exe Token: 33 2740 vbc.exe Token: 34 2740 vbc.exe Token: 35 2740 vbc.exe Token: SeDebugPrivilege 2596 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2664 vbc.exe Token: SeSecurityPrivilege 2664 vbc.exe Token: SeTakeOwnershipPrivilege 2664 vbc.exe Token: SeLoadDriverPrivilege 2664 vbc.exe Token: SeSystemProfilePrivilege 2664 vbc.exe Token: SeSystemtimePrivilege 2664 vbc.exe Token: SeProfSingleProcessPrivilege 2664 vbc.exe Token: SeIncBasePriorityPrivilege 2664 vbc.exe Token: SeCreatePagefilePrivilege 2664 vbc.exe Token: SeBackupPrivilege 2664 vbc.exe Token: SeRestorePrivilege 2664 vbc.exe Token: SeShutdownPrivilege 2664 vbc.exe Token: SeDebugPrivilege 2664 vbc.exe Token: SeSystemEnvironmentPrivilege 2664 vbc.exe Token: SeChangeNotifyPrivilege 2664 vbc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 680 vbc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2068 wrote to memory of 680 2068 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 31 PID 2068 wrote to memory of 680 2068 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 31 PID 2068 wrote to memory of 680 2068 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 31 PID 2068 wrote to memory of 680 2068 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 31 PID 2068 wrote to memory of 680 2068 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 31 PID 2068 wrote to memory of 680 2068 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 31 PID 2068 wrote to memory of 1716 2068 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 32 PID 2068 wrote to memory of 1716 2068 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 32 PID 2068 wrote to memory of 1716 2068 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 32 PID 2068 wrote to memory of 1716 2068 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 32 PID 2068 wrote to memory of 680 2068 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 31 PID 2068 wrote to memory of 680 2068 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 31 PID 2068 wrote to memory of 680 2068 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 31 PID 2068 wrote to memory of 680 2068 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 31 PID 2068 wrote to memory of 680 2068 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 31 PID 2068 wrote to memory of 680 2068 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 31 PID 2068 wrote to memory of 680 2068 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 31 PID 2068 wrote to memory of 680 2068 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 31 PID 2068 wrote to memory of 680 2068 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 31 PID 2068 wrote to memory of 2716 2068 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 33 PID 2068 wrote to memory of 2716 2068 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 33 PID 2068 wrote to memory of 2716 2068 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 33 PID 2068 wrote to memory of 2716 2068 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 33 PID 1716 wrote to memory of 2740 1716 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 34 PID 1716 wrote to memory of 2740 1716 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 34 PID 1716 wrote to memory of 2740 1716 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 34 PID 1716 wrote to memory of 2740 1716 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 34 PID 1716 wrote to memory of 2740 1716 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 34 PID 1716 wrote to memory of 2740 1716 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 34 PID 1716 wrote to memory of 2740 1716 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 34 PID 1716 wrote to memory of 2740 1716 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 34 PID 1716 wrote to memory of 2740 1716 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 34 PID 1716 wrote to memory of 2740 1716 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 34 PID 1716 wrote to memory of 2740 1716 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 34 PID 1716 wrote to memory of 2740 1716 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 34 PID 1716 wrote to memory of 2740 1716 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 34 PID 1716 wrote to memory of 2740 1716 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 34 PID 1716 wrote to memory of 2740 1716 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 34 PID 1716 wrote to memory of 2864 1716 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 35 PID 1716 wrote to memory of 2864 1716 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 35 PID 1716 wrote to memory of 2864 1716 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 35 PID 1716 wrote to memory of 2864 1716 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 35 PID 2068 wrote to memory of 2596 2068 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 36 PID 2068 wrote to memory of 2596 2068 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 36 PID 2068 wrote to memory of 2596 2068 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 36 PID 2068 wrote to memory of 2596 2068 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 36 PID 2596 wrote to memory of 2664 2596 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 37 PID 2596 wrote to memory of 2664 2596 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 37 PID 2596 wrote to memory of 2664 2596 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 37 PID 2596 wrote to memory of 2664 2596 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 37 PID 2596 wrote to memory of 2664 2596 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 37 PID 2596 wrote to memory of 2664 2596 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 37 PID 2596 wrote to memory of 2664 2596 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 37 PID 2596 wrote to memory of 2664 2596 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 37 PID 2596 wrote to memory of 2664 2596 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 37 PID 2596 wrote to memory of 2664 2596 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 37 PID 2596 wrote to memory of 2664 2596 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 37 PID 2596 wrote to memory of 2664 2596 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 37 PID 2596 wrote to memory of 2664 2596 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 37 PID 2596 wrote to memory of 2664 2596 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 37 PID 2596 wrote to memory of 2664 2596 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 37 PID 2596 wrote to memory of 1692 2596 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 38 PID 2596 wrote to memory of 1692 2596 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 38 PID 2596 wrote to memory of 1692 2596 d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe 38
Processes
-
C:\Users\Admin\AppData\Local\Temp\d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2068 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:680
-
-
C:\Users\Admin\AppData\Local\Temp\d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe"2⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1716 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2740
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\dw20.exedw20.exe -x -s 6043⤵
- System Location Discovery: System Language Discovery
PID:2864
-
-
-
C:\Users\Admin\AppData\Roaming\MTvEmAGhp.exe"C:\Users\Admin\AppData\Roaming\MTvEmAGhp.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2716
-
-
C:\Users\Admin\AppData\Local\Temp\d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d1f834a0abe1adad23eb99e9d877e8f6_JaffaCakes118.exe"2⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2596 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2664
-
-
C:\Users\Admin\AppData\Roaming\MTvEmAGhp.exe"C:\Users\Admin\AppData\Roaming\MTvEmAGhp.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:1692
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
4KB
MD55f9464c4385ac08f48cd0263278dbe0d
SHA136201364ddc828fb2127495ff7702e3fc5dbad66
SHA256958cdfbb0798de864a34c2c312fec94cc96524cda33695e459ee6d1f6cc14b13
SHA51226bb4a0e9cc4411f39ab1137dc61ea7e8b125d2234e7a355f7195812d63048d0bd785a5a85601521d24e6cd35519acda9645960307359be56da9f1ad19673667