darkcomet | 78461eb689a9ffe0edb5b3481cbd5f90c7418a2472be81b886563973314a4654

Analysis

max time kernel
150s
max time network
129s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
04-01-2025 07:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_786b98bcff876f951273fed95487eb00.exe
Size

818KB
MD5

786b98bcff876f951273fed95487eb00
SHA1

cb93b11234aa9ac2d2b6bf6a40dadb59c435f448
SHA256

78461eb689a9ffe0edb5b3481cbd5f90c7418a2472be81b886563973314a4654
SHA512

95f6c959f3fe51f234d315d749d1cc4cafb4ba027638c72b6a75a7de3339d5484a77d6244ca38fc8f958ef331093a76cd92ab54f1088354cd905e87e51909e82
SSDEEP

24576:BK4U9Ot+ogFV7gxzq6SOEo9no4DtLIBbl+z2kT:o4Uw+LF9gJL+om61j

Score

10^/10

darkcomet slave discovery evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Slave

ghost1997.no-ip.biz:1337

Mutex

DC_MUTEX-AZZ26SG

Attributes

gencode
v1pe6tD2bNTU
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
1020	attrib.exe
1360	attrib.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.pif	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe

Executes dropped EXE 1 IoCs

pid	Process
2764	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe

Loads dropped DLL 1 IoCs

pid	Process
1960	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Windows\CurrentVersion\Run\help = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\InstallDir\\help.exe"	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Windows\CurrentVersion\Run\help = "C:\\Users\\Admin\\AppData\\Roaming\\Microsoft\\Windows\\Cookies\\InstallDir\\help.exe"	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 1960 set thread context of 2980	1960	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	31
PID 1960 set thread context of 2764	1960	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	36

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{1AEE2761-CA6D-11EF-9CB9-62CAC36041A9} = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "2"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (data)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "442137411"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4177215427-74451935-3209572229-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 1 IoCs

pid	Process
1960	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2764	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe

Suspicious use of AdjustPrivilegeToken 23 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2764	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe
Token: SeSecurityPrivilege	2764	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe
Token: SeTakeOwnershipPrivilege	2764	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe
Token: SeLoadDriverPrivilege	2764	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe
Token: SeSystemProfilePrivilege	2764	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe
Token: SeSystemtimePrivilege	2764	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe
Token: SeProfSingleProcessPrivilege	2764	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe
Token: SeIncBasePriorityPrivilege	2764	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe
Token: SeCreatePagefilePrivilege	2764	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe
Token: SeBackupPrivilege	2764	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe
Token: SeRestorePrivilege	2764	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe
Token: SeShutdownPrivilege	2764	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe
Token: SeDebugPrivilege	2764	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe
Token: SeSystemEnvironmentPrivilege	2764	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe
Token: SeChangeNotifyPrivilege	2764	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe
Token: SeRemoteShutdownPrivilege	2764	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe
Token: SeUndockPrivilege	2764	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe
Token: SeManageVolumePrivilege	2764	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe
Token: SeImpersonatePrivilege	2764	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe
Token: SeCreateGlobalPrivilege	2764	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe
Token: 33	2764	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe
Token: 34	2764	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe
Token: 35	2764	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2980	iexplore.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2980	iexplore.exe
2980	iexplore.exe
1884	IEXPLORE.EXE
1884	IEXPLORE.EXE
2764	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe
1884	IEXPLORE.EXE
1884	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 1960 wrote to memory of 2916	1960	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	30
PID 1960 wrote to memory of 2916	1960	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	30
PID 1960 wrote to memory of 2916	1960	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	30
PID 1960 wrote to memory of 2916	1960	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	30
PID 1960 wrote to memory of 2980	1960	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	31
PID 1960 wrote to memory of 2980	1960	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	31
PID 1960 wrote to memory of 2980	1960	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	31
PID 1960 wrote to memory of 2980	1960	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	31
PID 1960 wrote to memory of 2980	1960	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	31
PID 1960 wrote to memory of 2980	1960	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	31
PID 1960 wrote to memory of 2980	1960	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	31
PID 1960 wrote to memory of 2980	1960	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	31
PID 1960 wrote to memory of 2980	1960	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	31
PID 1960 wrote to memory of 2980	1960	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	31
PID 1960 wrote to memory of 2980	1960	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	31
PID 1960 wrote to memory of 2980	1960	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	31
PID 2916 wrote to memory of 2128	2916	cmd.exe	33
PID 2916 wrote to memory of 2128	2916	cmd.exe	33
PID 2916 wrote to memory of 2128	2916	cmd.exe	33
PID 2916 wrote to memory of 2128	2916	cmd.exe	33
PID 2980 wrote to memory of 1884	2980	iexplore.exe	35
PID 2980 wrote to memory of 1884	2980	iexplore.exe	35
PID 2980 wrote to memory of 1884	2980	iexplore.exe	35
PID 2980 wrote to memory of 1884	2980	iexplore.exe	35
PID 2128 wrote to memory of 864	2128	net.exe	34
PID 2128 wrote to memory of 864	2128	net.exe	34
PID 2128 wrote to memory of 864	2128	net.exe	34
PID 2128 wrote to memory of 864	2128	net.exe	34
PID 1960 wrote to memory of 2764	1960	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	36
PID 1960 wrote to memory of 2764	1960	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	36
PID 1960 wrote to memory of 2764	1960	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	36
PID 1960 wrote to memory of 2764	1960	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	36
PID 1960 wrote to memory of 2764	1960	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	36
PID 1960 wrote to memory of 2764	1960	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	36
PID 1960 wrote to memory of 2764	1960	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	36
PID 1960 wrote to memory of 2764	1960	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	36
PID 1960 wrote to memory of 2764	1960	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	36
PID 1960 wrote to memory of 2764	1960	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	36
PID 1960 wrote to memory of 2764	1960	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	36
PID 1960 wrote to memory of 2764	1960	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	36
PID 1960 wrote to memory of 2764	1960	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	36
PID 2764 wrote to memory of 2556	2764	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	37
PID 2764 wrote to memory of 2556	2764	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	37
PID 2764 wrote to memory of 2556	2764	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	37
PID 2764 wrote to memory of 2556	2764	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	37
PID 2764 wrote to memory of 3016	2764	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	38
PID 2764 wrote to memory of 3016	2764	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	38
PID 2764 wrote to memory of 3016	2764	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	38
PID 2764 wrote to memory of 3016	2764	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	38
PID 2764 wrote to memory of 2504	2764	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	40
PID 2764 wrote to memory of 2504	2764	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	40
PID 2764 wrote to memory of 2504	2764	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	40
PID 2764 wrote to memory of 2504	2764	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	40
PID 2764 wrote to memory of 2504	2764	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	40
PID 2764 wrote to memory of 2504	2764	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	40
PID 2764 wrote to memory of 2504	2764	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	40
PID 2764 wrote to memory of 2504	2764	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	40
PID 2764 wrote to memory of 2504	2764	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	40
PID 2764 wrote to memory of 2504	2764	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	40
PID 2764 wrote to memory of 2504	2764	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	40
PID 2764 wrote to memory of 2504	2764	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	40
PID 2764 wrote to memory of 2504	2764	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	40
PID 2764 wrote to memory of 2504	2764	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	40
PID 2764 wrote to memory of 2504	2764	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	40

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
1020	attrib.exe
1360	attrib.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_786b98bcff876f951273fed95487eb00.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_786b98bcff876f951273fed95487eb00.exe"
1⤵
- Drops startup file
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:1960
- C:\Windows\SysWOW64\cmd.exe
  /c net stop MpsSvc
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2916
- - C:\Windows\SysWOW64\net.exe
    net stop MpsSvc
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2128
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MpsSvc
      4⤵
      System Location Discovery: System Language Discovery
      PID:864
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2980
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2980 CREDAT:275457 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:1884
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_786b98bcff876f951273fed95487eb00.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_786b98bcff876f951273fed95487eb00.exe
  2⤵
  - Windows security bypass
  - Executes dropped EXE
  - Windows security modification
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2764
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_786b98bcff876f951273fed95487eb00.exe" +s +h
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2556
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_786b98bcff876f951273fed95487eb00.exe" +s +h
      4⤵
      Sets file to hidden
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:1360
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
    3⤵
    - System Location Discovery: System Language Discovery
    PID:3016
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
      4⤵
      Sets file to hidden
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:1020
- - C:\Windows\SysWOW64\notepad.exe
    notepad
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2504

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
032f6b6ef629b6a54c701aff2dcd1d86

SHA1
35dbeabde73eed976c1ff7779949bf5f958c54de

SHA256
2c41a4612a3b00506ff740bac14a87cbd1fad7881e8982b13d9a08c66959ceee

SHA512
b55f992652b48c10ba0a5ff912baf1979ffd3302a5d096e30d24e95518cbd6b8835519d36b1c25b492df488e5c3053f0b7574240ffc8add87cae012619280e1d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
426ea3f4e59e922f3d80e2a65c780b17

SHA1
fd0e952cc5e74aad7b93ea4d37522cb95ee6d403

SHA256
a71946f76758b9c0031b016d125242ce9072ae58aa6d4d99f2453fad53ee760d

SHA512
a2a419dec700b84b73b27e01e558f8fc986f772d3b24026b7e2a104096ff8d9aca835a046d680550dc23f7dfecd2dc9e5a51d34f878ba0d5efa151198415f6eb

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
894742cde7d0ea82df45b8b85ce371d6

SHA1
4dc99334c408e2fb37fc28628dc189eb7f25d177

SHA256
623c842c5744fdc4fcbe7f4562576e2129d362170759e28e782c4b53ee0921f0

SHA512
4b940de8b8f63230ee381b997a4511c87cb9d100897ff4b754dbcd2dfe2c73202430ee46313216f5ef5cd5da15cef0b1d401a032a00177bef33b4c8f7f59dae1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
1afd57a51a779dbc6d06956d1204106f

SHA1
6f5e0db64b161568408923f9c084256556c651b7

SHA256
6aa07c6a44c7ae17026264ce6a937b1dba3c024d98075508e9f26bdabee4c55d

SHA512
4452d5a28809fdb639128c3606885acd4cfcda1f68010506437c28bc681e1dfb4b7a9df7f95d4529bbf8b749af20efb2baa585d87af03595ee1ed9f1bc403164

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
a2b598136dc08e14a6df25280bbb5921

SHA1
6ba7871c204f2cbf6927372348b544f7564e386c

SHA256
b3eec377d1ad7cd6899499ea5594883e6cb0a7053224a72a3451ed7fb30d6b4d

SHA512
2e9c6ccf32a496e261085c9d8a26fedac99c3d53a8ba601d5692a5475b855ae2f554ea7da44431566fb0b550cfa69101e1db4db167d1eba65210fe07b0e9004c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
37a6fdb27a069b0332bd8c51fff97ae7

SHA1
b9f6b58ba51c4f303a5a25f7582094fa12b70d2c

SHA256
92107157cd16ee5b8cc5170e1daf56a473503766a4f554e365e1cbd5853695c4

SHA512
989d5e37ccf0ae56605f64ec3f891168aa67e3f31c9bbc40bcaac97b5c4133ce71d951d752643c6256adaad8f0b59ee65b658f98e306b842f62e574f1eb52917

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
46b7eeb2131c719ccedf401057ba8fc9

SHA1
0a0694c6962bb4f593da247bb894c04eec224a6d

SHA256
e6fe257bc53eaeebe1ca3055fdd40bd58343876c9b8d88f8491ce6666fbb89de

SHA512
7cf6c6b76c33928804475109b36af96b8e8c2c0f00072f7fa1e44b228c7543554c077e96d1707a47ae74f60f087221a4bf406505f642f76f90daf54ec073532f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
67995dc73afabc06311f829b8ec2b1f4

SHA1
4ca23575f9f5face8940aad024e151336cdfa49d

SHA256
566f30e3bb7b8c6d33ec10a6665cca5a1d3e568348bde11ae03a19bb62aa30cc

SHA512
089539aed73be3fe18017260607e3bbdb5dadd415f20e537cb29cb3e259b9bdddeb1f800f243e8bd65f4f3f87a4e0054911661bcc1b2b2833347c7515fdce87d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
575653e1e633ebebb8e37d31b298aaa7

SHA1
2ccdfdbbdd72ea033385d9e615f7023629317bae

SHA256
5ebe8aa35333682d68e9075066dcc1e26551d1be07079b8dd56ec1f2fc2a9d22

SHA512
d172bb6ef36c4896bdc1585b7ab1e8214a020c1f9818f1d74af152a799cf7e232590a13a9da051e03e0fe30b4ce52c50ceb8a913d84366d78b28d8c15b03165c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
060a6e2de48b3d41bb001644b11f1424

SHA1
9be8323afd19809095efca0401a10c132ac01119

SHA256
1ef623171cd93b1e88f212b6bc4361051076e78799884d23046744c2f8134e49

SHA512
092861188f6a70794322f1eec69662b905c7169b5482994faf269e8f146569bfa275dfdc126eac38b0cb1d6080c33d63c92756ab562df6ba6873d5c2360c1b8b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
32529292b5bd8aca724e560659da60a9

SHA1
329f5fea3ea883c7604912f3a350dd64a806a5b6

SHA256
a429da8dd8ad27e4fa53795a5c2bcb16c85e4311fa3ddf1ca9711babb708bbe1

SHA512
9ad5788336e5e988198618e8bab3ec2f077f958a9ff8adc4a1bcd8110ec1b18fde632a174bfaf313dbdab7ed41fdcc2cb6917828e3c29ffc99237bece70a200e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3f4617f53c9703fb195b9d82f2a99e3f

SHA1
88865c003912a23b3026f0aef7827ac89aaaef7a

SHA256
c46866251a85d393b2fa58883d233e208fe06ffac84ac6c469d84d9d12d53d72

SHA512
3c72c20b20abc2d5061e1d76e19a63fd5466fd9bde74726a1b46d9c93b9f11d82b8dfc9825a6c345b3ff5548881cce4c34c3431f6e142d71c9418ce31466a5e5

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
2fe1a49d147bd0c40f864a66ba73c068

SHA1
af19ff55ddac9622a1ed0bb9029c968e5f715c59

SHA256
9c302fa66fa6b3bac888b0e4fa1841cca5a3b07ced917d72de2aedf58cc38359

SHA512
916c1d29cd9d760375039df87f418fddefa396d3ee48aa2e1e2f868c8a8cfcb2176f43736aed9fb480b96970148d8cb7d345ceac3b51b0835c5beb44d9c81dea

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
88a3b3f31a317cd510a8d099c54bf689

SHA1
2981e719a03971268b375bfc43531216d441ef39

SHA256
ef3ad50c9c6ca8a51acc9d4e6e63a1a96fe7c48f04bd26dbef5a5c315501b988

SHA512
02a76b895c7f839d13a1d3aabf18e1ac418e333c745bd2119c90e9ae5e4d4fe3edbe8ec8d99223bd757a77279127c41dff37cdd9ce8a8ade4a78fc37adbe89b2

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3bff65867dba4dd826b866807009be96

SHA1
16026c3b778a030d721a815fbc3b671b1867119d

SHA256
946f8cfebd8c3e2bf2d6ee6e987d841fb84ff051ae225c9a0d780720e8387b1f

SHA512
80cfc7d485981cefac12cd46db6c8b374448780e2e83fac837f8bbb5653a0bc77a59ea3297bf46bdd0ce65bf56bb66babc09ceeeddc9b7e07da6e1fd54d9725f

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
65f0bae9d1a190063ac4725cc832c60c

SHA1
ebe7af0aa05f8931b2dca4e38a7d4696e97f9a0c

SHA256
cc00398e2defecefb716e62f7e71607613d483a11cda3ae2ff2b535d0066745f

SHA512
b0e343d5b91ad8c469d4d7644faa26946f8c5d6a49a903debab5e170b10137a19276124c41cf95471d665f034c2f456946beef0b9416b362dce3e3f7569e2ef8

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabCD41.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarCDFF.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Local\Temp\JaffaCakes118_786b98bcff876f951273fed95487eb00.exe

Filesize
818KB

MD5
786b98bcff876f951273fed95487eb00

SHA1
cb93b11234aa9ac2d2b6bf6a40dadb59c435f448

SHA256
78461eb689a9ffe0edb5b3481cbd5f90c7418a2472be81b886563973314a4654

SHA512
95f6c959f3fe51f234d315d749d1cc4cafb4ba027638c72b6a75a7de3339d5484a77d6244ca38fc8f958ef331093a76cd92ab54f1088354cd905e87e51909e82

Download Submit
memory/1960-0-0x0000000000220000-0x0000000000221000-memory.dmp

Filesize
4KB

Download
memory/1960-1-0x0000000000230000-0x0000000000234000-memory.dmp

Filesize
16KB

Download
memory/2504-59-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2504-34-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2764-10-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2764-496-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2764-94-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2764-61-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2764-33-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2764-32-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2764-8-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2764-18-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2764-12-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2764-16-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2764-30-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2764-383-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2764-31-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2764-492-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2764-493-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2764-494-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2764-495-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2764-60-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2764-497-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2764-498-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2764-20-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2764-22-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2764-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2764-29-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2764-28-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2764-14-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2764-937-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2764-931-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2764-932-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2764-933-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2764-934-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2764-935-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2764-936-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2980-6-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download