Analysis Overview
SHA256
c0b48f072b3da8928af26a9cfad54918744f9a1f109a29d57d80156ec5816b23
Threat Level: Known bad
The file JaffaCakes118_c0b48f072b3da8928af26a9cfad54918744f9a1f109a29d57d80156ec5816b23 was found to be: Known bad.
Malicious Activity Summary
DCRat payload
Dcrat family
DcRat
Process spawned unexpected child process
DCRat payload
Command and Scripting Interpreter: PowerShell
Executes dropped EXE
Loads dropped DLL
Checks computer location settings
Legitimate hosting services abused for malware hosting/C2
Drops file in System32 directory
Drops file in Windows directory
Drops file in Program Files directory
System Location Discovery: System Language Discovery
Enumerates physical storage devices
Unsigned PE
Suspicious use of WriteProcessMemory
Modifies registry class
Scheduled Task/Job: Scheduled Task
Suspicious use of AdjustPrivilegeToken
Uses Task Scheduler COM API
Suspicious behavior: EnumeratesProcesses
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-12-30 17:39
Signatures
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Dcrat family
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-12-30 17:39
Reported
2024-12-30 17:41
Platform
win7-20241010-en
Max time kernel
149s
Max time network
155s
Command Line
Signatures
DcRat
Dcrat family
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\providercommon\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\hr-HR\audiodg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\hr-HR\audiodg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\hr-HR\audiodg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\hr-HR\audiodg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\hr-HR\audiodg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\hr-HR\audiodg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\hr-HR\audiodg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\hr-HR\audiodg.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\hr-HR\audiodg.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Drops file in System32 directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\SysWOW64\hr-HR\audiodg.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\SysWOW64\hr-HR\42af1c969fbb7b | C:\providercommon\DllCommonsvc.exe | N/A |
Drops file in Program Files directory
| Description | Indicator | Process | Target |
| File created | C:\Program Files\Mozilla Firefox\sppsvc.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files\Mozilla Firefox\0a1fd5f707cd16 | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Internet Explorer\SIGNUP\WmiPrvSE.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Program Files (x86)\Internet Explorer\SIGNUP\24dbde2999530e | C:\providercommon\DllCommonsvc.exe | N/A |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File created | C:\Windows\BitLockerDiscoveryVolumeContents\csrss.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File opened for modification | C:\Windows\BitLockerDiscoveryVolumeContents\csrss.exe | C:\providercommon\DllCommonsvc.exe | N/A |
| File created | C:\Windows\BitLockerDiscoveryVolumeContents\886983d96e3d3e | C:\providercommon\DllCommonsvc.exe | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b48f072b3da8928af26a9cfad54918744f9a1f109a29d57d80156ec5816b23.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Scheduled Task/Job: Scheduled Task
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b48f072b3da8928af26a9cfad54918744f9a1f109a29d57d80156ec5816b23.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b48f072b3da8928af26a9cfad54918744f9a1f109a29d57d80156ec5816b23.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
C:\Windows\SysWOW64\cmd.exe
cmd /c ""C:\providercommon\1zu9dW.bat" "
C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 6 /tr "'C:\Windows\BitLockerDiscoveryVolumeContents\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 5 /tr "'C:\Program Files\Mozilla Firefox\sppsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\Program Files\Mozilla Firefox\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 11 /tr "'C:\Program Files\Mozilla Firefox\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 6 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvc" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sppsvcs" /sc MINUTE /mo 10 /tr "'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\sppsvc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 7 /tr "'C:\Windows\SysWOW64\hr-HR\audiodg.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodg" /sc ONLOGON /tr "'C:\Windows\SysWOW64\hr-HR\audiodg.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "audiodga" /sc MINUTE /mo 12 /tr "'C:\Windows\SysWOW64\hr-HR\audiodg.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 10 /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\WmiPrvSE.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\WmiPrvSE.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 5 /tr "'C:\Program Files (x86)\Internet Explorer\SIGNUP\WmiPrvSE.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 14 /tr "'C:\providercommon\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 5 /tr "'C:\providercommon\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 7 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrss" /sc ONLOGON /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "csrssc" /sc MINUTE /mo 11 /tr "'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 11 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSE" /sc ONLOGON /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "WmiPrvSEW" /sc MINUTE /mo 8 /tr "'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\BitLockerDiscoveryVolumeContents\csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files\Mozilla Firefox\sppsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0018-0409-0000-0000000FF1CE}-C\sppsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Windows\SysWOW64\hr-HR\audiodg.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Program Files (x86)\Internet Explorer\SIGNUP\WmiPrvSE.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\MSOCache\All Users\{90140000-0116-0409-1000-0000000FF1CE}-C\csrss.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Recovery\31f19e42-8726-11ef-be9a-dab21757c799\WmiPrvSE.exe'
C:\Windows\SysWOW64\hr-HR\audiodg.exe
"C:\Windows\SysWOW64\hr-HR\audiodg.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\eUivgxqvfs.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\SysWOW64\hr-HR\audiodg.exe
"C:\Windows\SysWOW64\hr-HR\audiodg.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\4WSxKcEorb.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\SysWOW64\hr-HR\audiodg.exe
"C:\Windows\SysWOW64\hr-HR\audiodg.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YwiSfj46e4.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\SysWOW64\hr-HR\audiodg.exe
"C:\Windows\SysWOW64\hr-HR\audiodg.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rjTee716Rl.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\SysWOW64\hr-HR\audiodg.exe
"C:\Windows\SysWOW64\hr-HR\audiodg.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\2qVagYZlTM.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\SysWOW64\hr-HR\audiodg.exe
"C:\Windows\SysWOW64\hr-HR\audiodg.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\0uTXzTWsAa.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\SysWOW64\hr-HR\audiodg.exe
"C:\Windows\SysWOW64\hr-HR\audiodg.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\9ncYvmuuF5.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\SysWOW64\hr-HR\audiodg.exe
"C:\Windows\SysWOW64\hr-HR\audiodg.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\ER58NgmlZn.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\Windows\SysWOW64\hr-HR\audiodg.exe
"C:\Windows\SysWOW64\hr-HR\audiodg.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\rd8mWnFnEV.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
Files
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
| MD5 | 8088241160261560a02c84025d107592 |
| SHA1 | 083121f7027557570994c9fc211df61730455bb5 |
| SHA256 | 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1 |
| SHA512 | 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478 |
C:\providercommon\1zu9dW.bat
| MD5 | 6783c3ee07c7d151ceac57f1f9c8bed7 |
| SHA1 | 17468f98f95bf504cc1f83c49e49a78526b3ea03 |
| SHA256 | 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322 |
| SHA512 | c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8 |
C:\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/3032-13-0x0000000000C70000-0x0000000000D80000-memory.dmp
memory/3032-14-0x00000000002C0000-0x00000000002D2000-memory.dmp
memory/3032-15-0x00000000002F0000-0x00000000002FC000-memory.dmp
memory/3032-16-0x00000000002D0000-0x00000000002DC000-memory.dmp
memory/3032-17-0x00000000002E0000-0x00000000002EC000-memory.dmp
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Recent\CustomDestinations\OC0WE8HVXPABKZMO4PXE.temp
| MD5 | 59637e93fd732c89117eb5dd94785732 |
| SHA1 | 9d978c9afedda867657d9b4981800b4373a4baa7 |
| SHA256 | 9534b82e44eb84d6ee0cc82e962e75d964f6eb8aaa408162c3b30fbf9e9be870 |
| SHA512 | 0c8aa5c65ae47bd1b74eb000012ba9a6d7deb1bcc312ef53ce295dc3bbc2bc330436b00e3d9ea67943d7ea2ce023af64ba581509a6098776ed23ae81372f97f9 |
memory/1768-61-0x00000000002A0000-0x00000000003B0000-memory.dmp
memory/1288-68-0x000000001B2F0000-0x000000001B5D2000-memory.dmp
memory/2476-69-0x0000000002410000-0x0000000002418000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\Cab95BC.tmp
| MD5 | 49aebf8cbd62d92ac215b2923fb1b9f5 |
| SHA1 | 1723be06719828dda65ad804298d0431f6aff976 |
| SHA256 | b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f |
| SHA512 | bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b |
C:\Users\Admin\AppData\Local\Temp\Tar95DE.tmp
| MD5 | 4ea6026cf93ec6338144661bf1202cd1 |
| SHA1 | a1dec9044f750ad887935a01430bf49322fbdcb7 |
| SHA256 | 8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8 |
| SHA512 | 6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b |
C:\Users\Admin\AppData\Local\Temp\eUivgxqvfs.bat
| MD5 | 4690b690cf267af67e2344518883ce56 |
| SHA1 | 14a4f0435dcf62a3a351b65298689ce712afd803 |
| SHA256 | b90fe8f1450a028c00eab44e4882ee9b8a26d90adf60aae5cdc48dfd035cf3ba |
| SHA512 | 5c46e2c7ab97f392c6ff6da47d4b719622591bf6c5276dd6e51e4b644dd8024911306d25edb36d22c66f39c645241e67a57684ad9ac253baa8af917cc03af532 |
memory/1800-142-0x0000000000C60000-0x0000000000D70000-memory.dmp
memory/1800-143-0x00000000003B0000-0x00000000003C2000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 1d605798e0c53840ae7b8775cae08f60 |
| SHA1 | 51c4a6b1bef8d258bca232d51d3111fe1eaed246 |
| SHA256 | e05676473c6b51e5bd860ae9043b2c9fd9352f507512cfb9edb7437ead014916 |
| SHA512 | b6d37d27e47195528f68bdd85ea15cbcbe33c48770e601ee912a23134cfa325d9d779198de22ac81e377c0af0fcd7aa8ec6ebf72978be9da2e6121e448476eb2 |
C:\Users\Admin\AppData\Local\Temp\4WSxKcEorb.bat
| MD5 | c383ffdeb01cece96d723563319035d7 |
| SHA1 | 119b24bf621e90c7a3f710092d79266a3dbe2e99 |
| SHA256 | 95268b0af90a9c9770fc9a2152014b97a94f203944025fbbf452c1af3b3ba5c4 |
| SHA512 | e3df783dbf3d586fb4916394441eb7dc9ab5ac61c4cffff05675e2e96423c70ec18bec1adc1fba2de25033cfae52926140246708c3f3876860928e140b5a21b2 |
memory/812-203-0x0000000000160000-0x0000000000270000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | ccfb158fa26bd7c11ddfcec03b9e487d |
| SHA1 | 756fc3a3ba2c961357a17aa712dd7142efa2f51d |
| SHA256 | bd0c505a85e8b1b51cde57d495df39b093099aa2bbb9c7c846a93d0d48741d2b |
| SHA512 | 30bc4715b4fba2b7d3d7653078963a578d12a93c3fd23bdd7b094018513681b259fe3f7867ef5efff244fc665a747753ef01d66919fae58178fddb49564f7f58 |
C:\Users\Admin\AppData\Local\Temp\YwiSfj46e4.bat
| MD5 | 2791fee5bcbd1eb3ad63231c5d254a82 |
| SHA1 | ebcbe3868add7c040de0fbce375c8dd2f02098fc |
| SHA256 | 6cc60aedf96501ede010b67f1f8d2961e18db8f888d86271143f15b3915465d7 |
| SHA512 | f124ab156c713acfd5624521d45e0a0a12e3a6e31457c5e58876b49b656049a31268fabede347cc6e95075b22f5ad43517d53e7389f2f2681c3017af0fd950bf |
memory/3032-263-0x0000000000910000-0x0000000000A20000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 641e14660fbe0e0bea69a8cb5e16a4c4 |
| SHA1 | baac41e3b7206c53242e4b9f298bd74d7b63c9a8 |
| SHA256 | ec73b280fcb12be1fcf888c830130586f80bb4a4da710444d8de52fdc83a052a |
| SHA512 | 56ea218659ea5649ee20f82c7c967ec3ac461f34a7c7ef9b41c8e28881b36c3a2870177bd0f7b8ebd93fca48865503e80ba1e203d348c7c78c6216bdb1a1ec57 |
C:\Users\Admin\AppData\Local\Temp\rjTee716Rl.bat
| MD5 | 2dc5c537938b5833dbca2c2423610e75 |
| SHA1 | f3859623f2f40c49ad37eb80fe69ac572d3cd0b1 |
| SHA256 | b89fac543955cdaf31e445052fefd66e15aebd752bec7f68ab407a9f3d19853c |
| SHA512 | 41dd108e3db739d2ca1b34c45ec58cd140f6689bacea422245690dfb6af64e2213413549055d3aaddc9eb2c574f49df571f5fcc22341fe291bccfb7d2d7ffcaa |
memory/1724-323-0x0000000000A80000-0x0000000000B90000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | d8194515f60761908f07c86ad72942b8 |
| SHA1 | c2fac667ef77d3d6656bc80d3d6e1916d78ae194 |
| SHA256 | 6b709e29ead23250035bd06d509b655cf43bf11ac6c5143f1c91d7ee9c09e6df |
| SHA512 | aed4d6136962d3ec2edff798899a41b0a32006b5be61b15e306036282ddeb9c1dd40c3285983168615e837c360a9f2dcc619d6d995d1c6cca3eebffba0db3fff |
C:\Users\Admin\AppData\Local\Temp\2qVagYZlTM.bat
| MD5 | 4f67eddb47baad45a87021cde99916ce |
| SHA1 | 4eef16ba260c9b63f1510e8421792566f9db0f31 |
| SHA256 | 73041335835951797362b0dec0cc52c58f6f023203b52c01e89f603af10583d3 |
| SHA512 | 997c36da0201ceab71207a916ccdb270a3b89c1cdcb24ecc71cdeb1d67f524cc0efbf6ec75c6cb456d31dba2ecd6773c690606b71ceb7c087e05ab150bfb06b7 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 24d04e575abd1b14e07824ef89e64ce2 |
| SHA1 | 25d9c74b2b9f872f71eb0acb12d2199cdd335828 |
| SHA256 | f817da5f5e21a7f3472a1ae1c49967fac49d998c0bca3792844a9f71a22b07d1 |
| SHA512 | 6c0e0e5f9f675129996f7f3ebb701ecf787f98303c283da001ab352213c2b885bb3b643295921ee9726b9009e81e66a7956e05ed78cbc049bae394b4c459bc15 |
C:\Users\Admin\AppData\Local\Temp\0uTXzTWsAa.bat
| MD5 | 82529354801eb622bcc1c3ce62673b50 |
| SHA1 | 3d384866685dc3e554f847f92ad302435fb2bc3a |
| SHA256 | 71f8cef4089e700660a149a1aff0f26b5223d5e50c9ed588880da937513b0450 |
| SHA512 | 0dd1cbff5af4565fbf46cf7f4f3acce1cda780c4fd9bb7b39850b26a0f62c831ed2a5c9f8714931a23973e2d3dda61f83f80e108f8e6aff0a94b98ce87ffc24a |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 73f78c69aa23f56ebaf0e1155010db84 |
| SHA1 | d699c016509a4d13e5c9bf0f33e773bc623f7b32 |
| SHA256 | 6c02740887fc713ed1a5069d49bd7866cd7fa3d6eec98de6e0f6c75f445fc044 |
| SHA512 | 7eb976ada32b22188f0d7891878d1f94f3246bfc068a96cc7333ec591a6c2f07720830403786420b053e7bbee11d4b0503a0a55593d409732cf5baf6bdc35e9b |
C:\Users\Admin\AppData\Local\Temp\9ncYvmuuF5.bat
| MD5 | 3c579f831e2d4afff86bad066c748d7b |
| SHA1 | e94db48166b315b12e55ba0fc27f7d78f8bf5c43 |
| SHA256 | 5f032898d71cb403114373fae85fb2524a7fe076be2749fc644ae475ccbdf86f |
| SHA512 | 1e66b2142c73c0f6a6fc837011b8a9b4776c2584376925c3cdcfa7d3385ce0ea8f6206d73a9dd542f0a7db18d1bfd81ebb7683e2bb9d7b3f32dd433fe93483b4 |
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 5b6dae8ec18f008f28d5b1351446272f |
| SHA1 | cd4918acbd15f39cde548c6cb1c947d48027fb91 |
| SHA256 | 6633a3efff7e086160dd201d0c81f642fd833122b40fa3cecfaaefdc946902ed |
| SHA512 | 6c6954354a81b6cb987af8c73dd446f5a85eba288fa048a42995692e56f16aaf6078c818b4ea2d62b881eb74dabf0dae99c16aa53c2f800300739e109665429d |
C:\Users\Admin\AppData\Local\Temp\ER58NgmlZn.bat
| MD5 | 24768c8b0b8c05dee8a408ec00617ca6 |
| SHA1 | c1ade052d9572c0298effc82883412c8ea430718 |
| SHA256 | 270b328511f16b03831815a9fdfdf425019a4ba62d4a4544378e37bd779e8d60 |
| SHA512 | 47577d9332f213850a9ae865825771c5cb35d057c73c30bed8efc0ad52a781adf37ce3fe08b99249895f11c48fc1fea83a37c25bd77d8e32c9a1e5604a31349f |
memory/2364-560-0x0000000000CF0000-0x0000000000E00000-memory.dmp
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015
| MD5 | 79cc573a277146290548ee2e9ae51339 |
| SHA1 | 0330905035caa0682de25d171bbbd773ab67b86b |
| SHA256 | 58680f59fdb620b381f1a13e7bf4c87718d573a724b7fb2768cb90ec1dc913ad |
| SHA512 | 14db6854b08c414831de73de9909b129fd06d2cf8ab798b68646fa7a73460f1fedee178f724648c21320adf79da3f16a74f33a4ca4e0c2061b2582579cbede4d |
C:\Users\Admin\AppData\Local\Temp\rd8mWnFnEV.bat
| MD5 | 777808a4d7595ba36c5ef860c4f97e9e |
| SHA1 | 0e67f73265cf8be5e09b1bedf8d5eb29ab824a33 |
| SHA256 | ce683825c99d878f8201738bbf034135ae19c4b0672863be37bbf957fe987330 |
| SHA512 | 548c810ca2be6acea642c8ba75979477e40c8e140b9df47d18494a70d05625183d9f8db1482d1e7774619361b8d3be01df08e1d7ba2265382b673c65d8b49e5a |
Analysis: behavioral2
Detonation Overview
Submitted
2024-12-30 17:39
Reported
2024-12-30 17:41
Platform
win10v2004-20241007-en
Max time kernel
149s
Max time network
150s
Command Line
Signatures
DcRat
Dcrat family
Process spawned unexpected child process
| Description | Indicator | Process | Target |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe | |
| Parent C:\Windows\system32\wbem\wmiprvse.exe is not expected to spawn this process | N/A | C:\Windows\system32\schtasks.exe |
DCRat payload
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Command and Scripting Interpreter: PowerShell
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
| N/A | N/A | C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\providercommon\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\providercommon\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\providercommon\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\providercommon\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\providercommon\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\providercommon\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\providercommon\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\providercommon\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\providercommon\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\providercommon\RuntimeBroker.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b48f072b3da8928af26a9cfad54918744f9a1f109a29d57d80156ec5816b23.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\providercommon\DllCommonsvc.exe | N/A |
| Key value queried | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000\Control Panel\International\Geo\Nation | C:\providercommon\RuntimeBroker.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\providercommon\DllCommonsvc.exe | N/A |
| N/A | N/A | C:\providercommon\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\providercommon\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\providercommon\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\providercommon\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\providercommon\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\providercommon\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\providercommon\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\providercommon\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\providercommon\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\providercommon\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\providercommon\RuntimeBroker.exe | N/A |
| N/A | N/A | C:\providercommon\RuntimeBroker.exe | N/A |
Legitimate hosting services abused for malware hosting/C2
| Description | Indicator | Process | Target |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
| N/A | raw.githubusercontent.com | N/A | N/A |
Enumerates physical storage devices
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b48f072b3da8928af26a9cfad54918744f9a1f109a29d57d80156ec5816b23.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\WScript.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\providercommon\DllCommonsvc.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\providercommon\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\providercommon\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\providercommon\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b48f072b3da8928af26a9cfad54918744f9a1f109a29d57d80156ec5816b23.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\providercommon\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\providercommon\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\providercommon\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\providercommon\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\providercommon\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\providercommon\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\providercommon\RuntimeBroker.exe | N/A |
| Key created | \REGISTRY\USER\S-1-5-21-3442511616-637977696-3186306149-1000_Classes\Local Settings | C:\providercommon\RuntimeBroker.exe | N/A |
Scheduled Task/Job: Scheduled Task
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
| N/A | N/A | C:\Windows\system32\schtasks.exe | N/A |
Suspicious behavior: EnumeratesProcesses
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Uses Task Scheduler COM API
Processes
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b48f072b3da8928af26a9cfad54918744f9a1f109a29d57d80156ec5816b23.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_c0b48f072b3da8928af26a9cfad54918744f9a1f109a29d57d80156ec5816b23.exe"
C:\Windows\SysWOW64\WScript.exe
"C:\Windows\System32\WScript.exe" "C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe"
C:\Windows\SysWOW64\cmd.exe
C:\Windows\system32\cmd.exe /c ""C:\providercommon\1zu9dW.bat" "
C:\providercommon\DllCommonsvc.exe
"C:\providercommon\DllCommonsvc.exe"
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 5 /tr "'C:\Users\Public\sihost.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihost" /sc ONLOGON /tr "'C:\Users\Public\sihost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "sihosts" /sc MINUTE /mo 9 /tr "'C:\Users\Public\sihost.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 13 /tr "'C:\providercommon\upfc.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfc" /sc ONLOGON /tr "'C:\providercommon\upfc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "upfcu" /sc MINUTE /mo 11 /tr "'C:\providercommon\upfc.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 14 /tr "'C:\providercommon\RuntimeBroker.exe'" /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBroker" /sc ONLOGON /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\system32\schtasks.exe
schtasks.exe /create /tn "RuntimeBrokerR" /sc MINUTE /mo 8 /tr "'C:\providercommon\RuntimeBroker.exe'" /rl HIGHEST /f
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\DllCommonsvc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\Users\Public\sihost.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\upfc.exe'
C:\Windows\System32\WindowsPowerShell\v1.0\powershell.exe
"powershell" -Command Add-MpPreference -ExclusionPath 'C:\providercommon\RuntimeBroker.exe'
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\DP6rZPVgxk.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\RuntimeBroker.exe
"C:\providercommon\RuntimeBroker.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\F5GJdikwFG.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\RuntimeBroker.exe
"C:\providercommon\RuntimeBroker.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\L8pPJcA7Kt.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\RuntimeBroker.exe
"C:\providercommon\RuntimeBroker.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\YpMZYQImRp.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\RuntimeBroker.exe
"C:\providercommon\RuntimeBroker.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vad0LeRbBz.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\RuntimeBroker.exe
"C:\providercommon\RuntimeBroker.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WtKWrLEt72.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\RuntimeBroker.exe
"C:\providercommon\RuntimeBroker.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\T7QXgceCiI.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\RuntimeBroker.exe
"C:\providercommon\RuntimeBroker.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\V3SaMhi525.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\RuntimeBroker.exe
"C:\providercommon\RuntimeBroker.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\mrWoaKD2ur.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\RuntimeBroker.exe
"C:\providercommon\RuntimeBroker.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\WtKWrLEt72.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\RuntimeBroker.exe
"C:\providercommon\RuntimeBroker.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\vad0LeRbBz.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\RuntimeBroker.exe
"C:\providercommon\RuntimeBroker.exe"
C:\Windows\System32\cmd.exe
"C:\Windows\System32\cmd.exe" /C "C:\Users\Admin\AppData\Local\Temp\uVUt9EuWwA.bat"
C:\Windows\system32\w32tm.exe
w32tm /stripchart /computer:localhost /period:5 /dataonly /samples:2
C:\providercommon\RuntimeBroker.exe
"C:\providercommon\RuntimeBroker.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 58.55.71.13.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.210.23.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 140.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | raw.githubusercontent.com | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 133.109.199.185.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 154.239.44.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 197.87.175.4.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 172.214.232.199.in-addr.arpa | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 11.227.111.52.in-addr.arpa | udp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 185.199.109.133:443 | raw.githubusercontent.com | tcp |
| US | 8.8.8.8:53 | 8.173.189.20.in-addr.arpa | udp |
Files
C:\providercommon\yTUdeXjbLOhnrN32dgrxVg.vbe
| MD5 | 8088241160261560a02c84025d107592 |
| SHA1 | 083121f7027557570994c9fc211df61730455bb5 |
| SHA256 | 2072cc9a4a3b84d4c5178ab41c5588eea7d0103e3928e34d64f17bf97f3d1cc1 |
| SHA512 | 20d9369dd359315848ea30144383a0bb479d86059fdbc3b3256ac84f998193512feb3b1799ab663619920c99fe7e0ebba33ada31a3855094b956fcd351c90478 |
C:\providercommon\1zu9dW.bat
| MD5 | 6783c3ee07c7d151ceac57f1f9c8bed7 |
| SHA1 | 17468f98f95bf504cc1f83c49e49a78526b3ea03 |
| SHA256 | 8ab782f0f327a2021530e7230d3aee8abbecb7eed59482a3a46e78b9e3862322 |
| SHA512 | c6012d4bfac1ed14d0fd9f0eabd0e1c3d647b343db292a907b246271d52a4b7469c809db43910ddba2e8c5045f9cb3d24d0af62d363281e6cb8b39ee94a183e8 |
C:\providercommon\DllCommonsvc.exe
| MD5 | bd31e94b4143c4ce49c17d3af46bcad0 |
| SHA1 | f8c51ff3ff909531d9469d4ba1bbabae101853ff |
| SHA256 | b5199d3eb28e7de8ec4a5de66cb339a03d90b297e2292473badaab98ade15c63 |
| SHA512 | f96658bd19b672fd84038bd7e95c89e14f4e6f84e3ce9c6fe3216861a41203406148c6a809c2ab350d0d6c5919c845f619deb1fc9b1f1814dfce87e566bc2394 |
memory/2628-12-0x00007FFEF6073000-0x00007FFEF6075000-memory.dmp
memory/2628-13-0x0000000000FD0000-0x00000000010E0000-memory.dmp
memory/2628-14-0x0000000003250000-0x0000000003262000-memory.dmp
memory/2628-15-0x00000000033F0000-0x00000000033FC000-memory.dmp
memory/2628-16-0x0000000003260000-0x000000000326C000-memory.dmp
memory/2628-17-0x0000000003400000-0x000000000340C000-memory.dmp
memory/2136-27-0x00000270715F0000-0x0000027071612000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\__PSScriptPolicyTest_jw5s4nek.4oy.ps1
| MD5 | d17fe0a3f47be24a6453e9ef58c94641 |
| SHA1 | 6ab83620379fc69f80c0242105ddffd7d98d5d9d |
| SHA256 | 96ad1146eb96877eab5942ae0736b82d8b5e2039a80d3d6932665c1a4c87dcf7 |
| SHA512 | 5b592e58f26c264604f98f6aa12860758ce606d1c63220736cf0c779e4e18e3cec8706930a16c38b20161754d1017d1657d35258e58ca22b18f5b232880dec82 |
C:\Users\Admin\AppData\Local\Temp\DP6rZPVgxk.bat
| MD5 | db72f4abb3c888b7d5374ccdc2106327 |
| SHA1 | b4898d7d7b1aaa2848ce6bf8323ae0a0011ede4e |
| SHA256 | 7b4df5295131fc9ed2864b10b1dfb10d015cb469255360868dba7d9b3b023b06 |
| SHA512 | fd69ff0a46612c6e6daf86e3aa5809ca5a571144a1dc79ab53d20807ceb776854596d57f3561f460c9fc306f828a005d113de522aa6f1ae313762af6ce0884b8 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\powershell.exe.log
| MD5 | d85ba6ff808d9e5444a4b369f5bc2730 |
| SHA1 | 31aa9d96590fff6981b315e0b391b575e4c0804a |
| SHA256 | 84739c608a73509419748e4e20e6cc4e1846056c3fe1929a8300d5a1a488202f |
| SHA512 | 8c414eb55b45212af385accc16d9d562adba2123583ce70d22b91161fe878683845512a78f04dedd4ea98ed9b174dbfa98cf696370598ad8e6fbd1e714f1f249 |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 6d3e9c29fe44e90aae6ed30ccf799ca8 |
| SHA1 | c7974ef72264bbdf13a2793ccf1aed11bc565dce |
| SHA256 | 2360634e63e8f0b5748e2c56ebb8f4aa78e71008ea7b5c9ca1c49be03b49557d |
| SHA512 | 60c38c4367352537545d859f64b9c5cbada94240478d1d039fd27b5ecba4dc1c90051557c16d802269703b873546ead416279c0a80c6fd5e49ad361cef22596a |
C:\Users\Admin\AppData\Local\Microsoft\Windows\PowerShell\StartupProfileData-NonInteractive
| MD5 | 62623d22bd9e037191765d5083ce16a3 |
| SHA1 | 4a07da6872672f715a4780513d95ed8ddeefd259 |
| SHA256 | 95d79fd575bbd21540e378fcbc1cd00d16f51af62ce15bae7080bb72c24e2010 |
| SHA512 | 9a448b7a0d867466c2ea04ab84d2a9485d5fd20ab53b2b854f491831ee3f1d781b94d2635f7b0b35cb9f2d373cd52c67570879a56a42ed66bc9db06962ed4992 |
C:\Users\Admin\AppData\Local\Temp\F5GJdikwFG.bat
| MD5 | 904c73b63e40bec4af9123bd917cb735 |
| SHA1 | f5c8ba200bf4bb50aa95b9e2a76b6c95b3f28e93 |
| SHA256 | f6f42f0b92d7b1e969f35c3c03e27dbfff6e30bedf55d3f5eb2f05535fea9243 |
| SHA512 | b6b593d93c8a466bf64d03d052c2c8705b02bdc99bc98dbdfba8a9d35e2ee89dadc3f75bbd5fc7d3ccf535c5994a254822c9617dc87413178bde2fb11f61c535 |
C:\Users\Admin\AppData\Local\Microsoft\CLR_v4.0\UsageLogs\RuntimeBroker.exe.log
| MD5 | baf55b95da4a601229647f25dad12878 |
| SHA1 | abc16954ebfd213733c4493fc1910164d825cac8 |
| SHA256 | ee954c5d8156fd8890e582c716e5758ed9b33721258f10e758bdc31ccbcb1924 |
| SHA512 | 24f502fedb1a305d0d7b08857ffc1db9b2359ff34e06d5748ecc84e35c985f29a20d9f0a533bea32d234ab37097ec0481620c63b14ac89b280e75e14d19fd545 |
C:\Users\Admin\AppData\Local\Temp\L8pPJcA7Kt.bat
| MD5 | b22f94d306b07814a84986e46e651430 |
| SHA1 | f7a67d286c3344ed70f5dcce19b90ae5f2dc34fe |
| SHA256 | 8197b8564a78f594763972b0c6c8d5217af9375eda392674ee72f913be84ad00 |
| SHA512 | 7e560bf119d14a58d1818ac0751d7fc6c6b9f29e1ad03acc06ebc1851bd65949bb67b810d0175aeabdd3c0446f40c015fd6457ee8fd636c8c3de28da2af517b6 |
C:\Users\Admin\AppData\Local\Temp\YpMZYQImRp.bat
| MD5 | 227e5246c78c9d66bcff090e46ad5792 |
| SHA1 | 7b92a30c18090bbb260b28a1bd1babac3340bae9 |
| SHA256 | 3f2fc9f707a2b45ffadd98cb9b312cafbc0d14d468cf01f74d26d71e0f0eee3c |
| SHA512 | cd71798655ddd105e20da5c4690282865161b505b584679cc3940ecbf6db67b966cc8936fec9ab676de1cf03b534281a80152b061c8afcd02c96f687f40f7b26 |
C:\Users\Admin\AppData\Local\Temp\vad0LeRbBz.bat
| MD5 | ccf440851d8b314fbb27112a5c4f1a2f |
| SHA1 | ff9adaa252495bf17b2a66fef57d2bb108d0a0fe |
| SHA256 | 6db501233037c315bfa30ba4137ee83e52f662ac6d14f23b8faf29587bf8f869 |
| SHA512 | ab548c04c08d86dfcaf9b4f6ee1ac4e39c5f28c12acb1295e0b0200af99359f231638814fd10678aae755bc4a49dbc99a87911d799cc4af49a7c5912d3b4f784 |
C:\Users\Admin\AppData\Local\Temp\WtKWrLEt72.bat
| MD5 | c2de80e275ff97192b6b6fcc22e5b3c4 |
| SHA1 | fe2d14ef7874825deac867494c719e8c1af71460 |
| SHA256 | 80776554c788b44be6ab26b34644debadf3836decd2c3db005260b0947d5d98b |
| SHA512 | a972e9c836b0342dc45cddd316740eae936254fafcc37ef0ef3f53d84abf5f828883f2ff7064931ee86755332c40bee673a13ad983c88ce341fdf11d6631bd9a |
C:\Users\Admin\AppData\Local\Temp\T7QXgceCiI.bat
| MD5 | 5bb50a89f814b256033ea6b4dcb4f754 |
| SHA1 | d7d9754929f73f84d0480fd9c1e04ee7c61694b1 |
| SHA256 | 36ddbd46ab7dee4096e948283c2931c6a5c0f1bfa0565f1917237bb7940e6b11 |
| SHA512 | 0e08f154334b3c7f80dd76f0b206df6adf0714afc22623fc154b66f1767e9f3b5221f085eb7d46318b300abe146e7c387448726620c38761df4bfe5249978a8c |
C:\Users\Admin\AppData\Local\Temp\V3SaMhi525.bat
| MD5 | ec614d35415529e961abe66cb40ada4d |
| SHA1 | 056d5892574d07c6aa2cc91e78a40e6ee032a748 |
| SHA256 | 8818442c4e1d5e388b2a808e2b2cdf93f07433a573799052a61c072f2a5b00a0 |
| SHA512 | aa652bf884d3ac05e46bcf4f69079ea31951ea2e196a61822af1d9de8c53812908c073f774029d23c70fa002e2408f882bcb2edf3f8702569cdb9a5d6fc06933 |
C:\Users\Admin\AppData\Local\Temp\mrWoaKD2ur.bat
| MD5 | 2268387d6ff6d0525090099c47a54ad4 |
| SHA1 | 376a6da73eb12f400ce0ebb19305480cbdb8f944 |
| SHA256 | 281184213ade2cecf1c860827a14f642db15be60d51f03897bab705bb364ab42 |
| SHA512 | 1ba99bea969a4fb589032def3ab4c9c37a951cc25ffb129da44f269f4a8ef861fd11d89c32d775c94f2215392fac99b1f9edcba5a93a31590afca2153e31ce0f |
memory/1624-127-0x000000001CFC0000-0x000000001D169000-memory.dmp
memory/2392-134-0x000000001D440000-0x000000001D5E9000-memory.dmp
memory/1984-141-0x000000001D3C0000-0x000000001D569000-memory.dmp
memory/3968-148-0x000000001DB40000-0x000000001DCE9000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\uVUt9EuWwA.bat
| MD5 | b8dfaa7f3c36d0d88dca44bc82133074 |
| SHA1 | 284be9d09049fb0af8380cdae19906a698579bbe |
| SHA256 | 2ba82f7282216f5e3327806c37150c5cb0083d79fb18f8aae383d3aac40dad03 |
| SHA512 | cd2bbf70517163cf84c9748a6598c59f001ee3de6d8106db332fc5097f8b9a014ecd3d047bc8fad4cdf1abe35897c9611288a4931b31f1962016a2cbdc3b2ec3 |