darkcomet | 78461eb689a9ffe0edb5b3481cbd5f90c7418a2472be81b886563973314a4654

Analysis

max time kernel
150s
max time network
151s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
04-01-2025 07:25

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_786b98bcff876f951273fed95487eb00.exe
Size

818KB
MD5

786b98bcff876f951273fed95487eb00
SHA1

cb93b11234aa9ac2d2b6bf6a40dadb59c435f448
SHA256

78461eb689a9ffe0edb5b3481cbd5f90c7418a2472be81b886563973314a4654
SHA512

95f6c959f3fe51f234d315d749d1cc4cafb4ba027638c72b6a75a7de3339d5484a77d6244ca38fc8f958ef331093a76cd92ab54f1088354cd905e87e51909e82
SSDEEP

24576:BK4U9Ot+ogFV7gxzq6SOEo9no4DtLIBbl+z2kT:o4Uw+LF9gJL+om61j

Score

10^/10

darkcomet slave discovery evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Slave

ghost1997.no-ip.biz:1337

Mutex

DC_MUTEX-AZZ26SG

Attributes

gencode
v1pe6tD2bNTU
install
false
offline_keylogger
true
persistence
false

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Windows security bypass 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

evasion

Hidden Files and Directories

T1564.001

pid	Process
328	attrib.exe
3668	attrib.exe

Checks computer location settings 2 TTPs 1 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Control Panel\International\Geo\Nation	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe

Drops startup file 1 IoCs

description	ioc	Process
File created	C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.pif	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe

Executes dropped EXE 1 IoCs

pid	Process
2200	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe

Windows security modification 2 TTPs 1 IoCs

evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\help = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\INetCookies\\InstallDir\\help.exe"	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\help = "C:\\Users\\Admin\\AppData\\Local\\Microsoft\\Windows\\INetCookies\\InstallDir\\help.exe"	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe

Suspicious use of SetThreadContext 2 IoCs

description	pid	Process	procid_target
PID 5072 set thread context of 2196	5072	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	85
PID 5072 set thread context of 2200	5072	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	90

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 11 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net1.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	net.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE

Modifies Internet Explorer settings 1 TTPs 30 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\VersionManager	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLLowDateTime = "1251635200"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{1CC34718-CA6D-11EF-A4B7-D2BD7E71DA05} = "0"	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4049996546"	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateLowDateTime = "4045934216"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastTTLHighDateTime = "50"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\GPU	IEXPLORE.EXE
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "4045934216"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\VersionManager	IEXPLORE.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\""	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastUpdateHighDateTime = "31153785"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31153785"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31153785"	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "442740520"	iexplore.exe

Runs net.exe

Suspicious behavior: EnumeratesProcesses 2 IoCs

pid	Process
5072	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe
5072	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe

Suspicious behavior: GetForegroundWindowSpam 1 IoCs

pid	Process
2200	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe

Suspicious use of AdjustPrivilegeToken 24 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2200	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe
Token: SeSecurityPrivilege	2200	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe
Token: SeTakeOwnershipPrivilege	2200	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe
Token: SeLoadDriverPrivilege	2200	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe
Token: SeSystemProfilePrivilege	2200	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe
Token: SeSystemtimePrivilege	2200	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe
Token: SeProfSingleProcessPrivilege	2200	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe
Token: SeIncBasePriorityPrivilege	2200	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe
Token: SeCreatePagefilePrivilege	2200	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe
Token: SeBackupPrivilege	2200	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe
Token: SeRestorePrivilege	2200	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe
Token: SeShutdownPrivilege	2200	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe
Token: SeDebugPrivilege	2200	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe
Token: SeSystemEnvironmentPrivilege	2200	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe
Token: SeChangeNotifyPrivilege	2200	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe
Token: SeRemoteShutdownPrivilege	2200	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe
Token: SeUndockPrivilege	2200	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe
Token: SeManageVolumePrivilege	2200	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe
Token: SeImpersonatePrivilege	2200	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe
Token: SeCreateGlobalPrivilege	2200	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe
Token: 33	2200	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe
Token: 34	2200	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe
Token: 35	2200	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe
Token: 36	2200	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2196	iexplore.exe

Suspicious use of SetWindowsHookEx 7 IoCs

pid	Process
2196	iexplore.exe
2196	iexplore.exe
3300	IEXPLORE.EXE
3300	IEXPLORE.EXE
2200	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe
3300	IEXPLORE.EXE
3300	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 5072 wrote to memory of 2032	5072	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	84
PID 5072 wrote to memory of 2032	5072	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	84
PID 5072 wrote to memory of 2032	5072	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	84
PID 5072 wrote to memory of 2196	5072	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	85
PID 5072 wrote to memory of 2196	5072	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	85
PID 5072 wrote to memory of 2196	5072	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	85
PID 5072 wrote to memory of 2196	5072	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	85
PID 5072 wrote to memory of 2196	5072	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	85
PID 5072 wrote to memory of 2196	5072	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	85
PID 5072 wrote to memory of 2196	5072	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	85
PID 5072 wrote to memory of 2196	5072	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	85
PID 5072 wrote to memory of 2196	5072	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	85
PID 5072 wrote to memory of 2196	5072	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	85
PID 5072 wrote to memory of 2196	5072	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	85
PID 5072 wrote to memory of 2196	5072	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	85
PID 2032 wrote to memory of 1752	2032	cmd.exe	87
PID 2032 wrote to memory of 1752	2032	cmd.exe	87
PID 2032 wrote to memory of 1752	2032	cmd.exe	87
PID 1752 wrote to memory of 3896	1752	net.exe	88
PID 1752 wrote to memory of 3896	1752	net.exe	88
PID 1752 wrote to memory of 3896	1752	net.exe	88
PID 2196 wrote to memory of 3300	2196	iexplore.exe	89
PID 2196 wrote to memory of 3300	2196	iexplore.exe	89
PID 2196 wrote to memory of 3300	2196	iexplore.exe	89
PID 5072 wrote to memory of 2200	5072	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	90
PID 5072 wrote to memory of 2200	5072	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	90
PID 5072 wrote to memory of 2200	5072	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	90
PID 5072 wrote to memory of 2200	5072	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	90
PID 5072 wrote to memory of 2200	5072	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	90
PID 5072 wrote to memory of 2200	5072	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	90
PID 5072 wrote to memory of 2200	5072	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	90
PID 5072 wrote to memory of 2200	5072	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	90
PID 5072 wrote to memory of 2200	5072	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	90
PID 5072 wrote to memory of 2200	5072	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	90
PID 5072 wrote to memory of 2200	5072	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	90
PID 5072 wrote to memory of 2200	5072	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	90
PID 5072 wrote to memory of 2200	5072	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	90
PID 5072 wrote to memory of 2200	5072	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	90
PID 2200 wrote to memory of 1404	2200	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	91
PID 2200 wrote to memory of 1404	2200	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	91
PID 2200 wrote to memory of 1404	2200	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	91
PID 2200 wrote to memory of 1412	2200	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	92
PID 2200 wrote to memory of 1412	2200	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	92
PID 2200 wrote to memory of 1412	2200	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	92
PID 2200 wrote to memory of 2292	2200	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	94
PID 2200 wrote to memory of 2292	2200	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	94
PID 2200 wrote to memory of 2292	2200	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	94
PID 2200 wrote to memory of 2292	2200	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	94
PID 2200 wrote to memory of 2292	2200	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	94
PID 2200 wrote to memory of 2292	2200	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	94
PID 2200 wrote to memory of 2292	2200	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	94
PID 2200 wrote to memory of 2292	2200	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	94
PID 2200 wrote to memory of 2292	2200	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	94
PID 2200 wrote to memory of 2292	2200	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	94
PID 2200 wrote to memory of 2292	2200	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	94
PID 2200 wrote to memory of 2292	2200	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	94
PID 2200 wrote to memory of 2292	2200	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	94
PID 2200 wrote to memory of 2292	2200	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	94
PID 2200 wrote to memory of 2292	2200	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	94
PID 2200 wrote to memory of 2292	2200	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	94
PID 2200 wrote to memory of 2292	2200	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	94
PID 2200 wrote to memory of 2292	2200	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	94
PID 2200 wrote to memory of 2292	2200	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	94
PID 2200 wrote to memory of 2292	2200	JaffaCakes118_786b98bcff876f951273fed95487eb00.exe	94

Views/modifies file attributes 1 TTPs 2 IoCs

evasion

Hidden Files and Directories

T1564.001

pid	Process
328	attrib.exe
3668	attrib.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_786b98bcff876f951273fed95487eb00.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_786b98bcff876f951273fed95487eb00.exe"
1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5072
- C:\Windows\SysWOW64\cmd.exe
  /c net stop MpsSvc
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2032
- - C:\Windows\SysWOW64\net.exe
    net stop MpsSvc
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:1752
  - - C:\Windows\SysWOW64\net1.exe
      C:\Windows\system32\net1 stop MpsSvc
      4⤵
      System Location Discovery: System Language Discovery
      PID:3896
- C:\Program Files\Internet Explorer\iexplore.exe
  "C:\Program Files\Internet Explorer\iexplore.exe"
  2⤵
  - Modifies Internet Explorer settings
  - Suspicious use of FindShellTrayWindow
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2196
- - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
    "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2196 CREDAT:17410 /prefetch:2
    3⤵
    - System Location Discovery: System Language Discovery
    - Modifies Internet Explorer settings
    - Suspicious use of SetWindowsHookEx
    PID:3300
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_786b98bcff876f951273fed95487eb00.exe
  C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_786b98bcff876f951273fed95487eb00.exe
  2⤵
  - Windows security bypass
  - Checks computer location settings
  - Executes dropped EXE
  - Windows security modification
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: GetForegroundWindowSpam
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2200
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_786b98bcff876f951273fed95487eb00.exe" +s +h
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1404
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_786b98bcff876f951273fed95487eb00.exe" +s +h
      4⤵
      Sets file to hidden
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:3668
- - C:\Windows\SysWOW64\cmd.exe
    "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1412
  - - C:\Windows\SysWOW64\attrib.exe
      attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
      4⤵
      Sets file to hidden
      System Location Discovery: System Language Discovery
      Views/modifies file attributes
      PID:328
- - C:\Windows\SysWOW64\notepad.exe
    notepad
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2292

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
471B

MD5
8fad2e07a4c7a80a9b50d87e76420c29

SHA1
7faa7310d52e1b97b5f7597dda3fa439f4ec04d8

SHA256
be210b4b624d55d076fdc5b6d9f6b98acb116c646e43c56e52790d910bca942d

SHA512
459a02e6817f3ba0a1edc2590a266a772127f39f651c9a5ee1170fbaefedeadff6a6ff948f97ed09670413dabe611c2c34e00e7600b4ff501455c35776da7895

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\7423F88C7F265F0DEFC08EA88C3BDE45_AA1E8580D4EBC816148CE81268683776

Filesize
404B

MD5
d55488edf5f3a0f45afd90f180432554

SHA1
c5c788e7301f939b9c3c77e36433e4d3df8ed4c7

SHA256
3c33037bddbfe2f1c8553c29060751c21f1e676ae6ad2c277b58a7a2bc5dbac5

SHA512
b02cc2de126e1847679db735de740d79e586f08f118c228227a59c0fc286efdfdf3d6acb28e6ec842944c9b2f87df9b474d8e2d58faa1e27659efef05099ae78

Download Submit
C:\Users\Admin\AppData\Local\Microsoft\Windows\INetCache\IE\P2UT3MS5\suggestions[1].en-US

Filesize
17KB

MD5
5a34cb996293fde2cb7a4ac89587393a

SHA1
3c96c993500690d1a77873cd62bc639b3a10653f

SHA256
c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad

SHA512
e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee

Download Submit
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_786b98bcff876f951273fed95487eb00.exe

Filesize
818KB

MD5
786b98bcff876f951273fed95487eb00

SHA1
cb93b11234aa9ac2d2b6bf6a40dadb59c435f448

SHA256
78461eb689a9ffe0edb5b3481cbd5f90c7418a2472be81b886563973314a4654

SHA512
95f6c959f3fe51f234d315d749d1cc4cafb4ba027638c72b6a75a7de3339d5484a77d6244ca38fc8f958ef331093a76cd92ab54f1088354cd905e87e51909e82

Download Submit
memory/2196-6-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2200-19-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2200-30-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2200-12-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2200-13-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2200-16-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2200-15-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2200-51-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2200-17-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2200-18-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2200-50-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2200-20-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2200-10-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2200-9-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2200-11-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2200-31-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2200-32-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2200-33-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2200-49-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2200-44-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2200-45-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2200-46-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2200-47-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2200-48-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2292-14-0x0000000000E10000-0x0000000000E11000-memory.dmp

Filesize
4KB

Download
memory/5072-1-0x0000000002220000-0x0000000002224000-memory.dmp

Filesize
16KB

Download
memory/5072-0-0x0000000002210000-0x0000000002211000-memory.dmp

Filesize
4KB

Download