darkcomet | 62db18b1b1d4ac66d198ecfbc1195dc13373fd29833c58bf71cfa4255679c578

Analysis

max time kernel
150s
max time network
150s
platform
windows10-2004_x64
resource
win10v2004-20241007-en
resource tags

arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system
submitted
09-01-2025 14:24

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_ca774575a2253b0aa51d7294cc45e5b7.exe
Size

1.8MB
MD5

ca774575a2253b0aa51d7294cc45e5b7
SHA1

150df3f0e8e861f802157084bc64a8ec8b34fa42
SHA256

62db18b1b1d4ac66d198ecfbc1195dc13373fd29833c58bf71cfa4255679c578
SHA512

8fd26c938e24f67c1f25e22bc59b73ffcf44ecdf6454eddf42d7ccb19fa132533b5d8ac2a2aea43c298e9c1858d769a5c9b514db71441daacec32a35c4573b07
SSDEEP

49152:3IYjlLwtsGun9LIo3BBdLbrfTVzvjYK1nmD6:YYj9wtsGuLf/v8K1nmD6

Score

10^/10

darkcomet warzonerat 2021new-sept-1 discovery evasion infostealer persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

2021New-Sept-1

45.74.4.244:35888

Mutex

DC_MUTEX-7DDJ5ZC

Attributes

InstallPath
wirar.exe
gencode
cYaHnoJ4tARs
install
true
offline_keylogger
true
password
hhhhhh
persistence
false
reg_key
rar

Extracted

Family

warzonerat

45.74.4.244:5205

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\wirar.exe"	JaffaCakes118_ca774575a2253b0aa51d7294cc45e5b7.exe

WarzoneRat, AveMaria
WarzoneRat is a native RAT developed in C++ with multiple plugins sold as a MaaS.
rat infostealer warzonerat
Warzonerat family
warzonerat

Warzone RAT payload 4 IoCs

rat

resource	yara_rule
behavioral2/memory/3420-98-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/3420-101-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/4664-104-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat
behavioral2/memory/4664-106-0x0000000000400000-0x0000000000554000-memory.dmp	warzonerat

Disables Task Manager via registry modification
evasion

Drops file in Drivers directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Windows\system32\drivers\etc\hosts	JaffaCakes118_ca774575a2253b0aa51d7294cc45e5b7.exe

Checks computer location settings 2 TTPs 3 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	JaffaCakes118_ca774575a2253b0aa51d7294cc45e5b7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	JaffaCakes118_ca774575a2253b0aa51d7294cc45e5b7.exe
Key value queried	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\Control Panel\International\Geo\Nation	wirar.exe

Executes dropped EXE 15 IoCs

pid	Process
4328	1OuniAu2Le7dBE2Q.exe
3264	vQ1p1rvBjvPPxKXc.exe
4540	wirar.exe
1940	1OuniAu2Le7dBE2Q.exe
4012	1OuniAu2Le7dBE2Q.exe
3520	1OuniAu2Le7dBE2Q.exe
3420	1OuniAu2Le7dBE2Q.exe
4664	vQ1p1rvBjvPPxKXc.exe
3024	KFHVz2Plgr7F004P.exe
1020	wirar.exe
1836	HESlDJFRB3QLwjNU.exe
2384	images.exe
2072	KFHVz2Plgr7F004P.exe
956	images.exe
2004	HESlDJFRB3QLwjNU.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-3350944739-639801879-157714471-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\rar = "C:\\Users\\Admin\\Documents\\wirar.exe"	JaffaCakes118_ca774575a2253b0aa51d7294cc45e5b7.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\Images = "C:\\ProgramData\\images.exe"	vQ1p1rvBjvPPxKXc.exe

Drops desktop.ini file(s) 2 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly\Desktop.ini	JaffaCakes118_ca774575a2253b0aa51d7294cc45e5b7.exe
File created	C:\Windows\assembly\Desktop.ini	JaffaCakes118_ca774575a2253b0aa51d7294cc45e5b7.exe

Suspicious use of SetThreadContext 7 IoCs

description	pid	Process	procid_target
PID 2140 set thread context of 2636	2140	JaffaCakes118_ca774575a2253b0aa51d7294cc45e5b7.exe	85
PID 4328 set thread context of 3420	4328	1OuniAu2Le7dBE2Q.exe	90
PID 3264 set thread context of 4664	3264	vQ1p1rvBjvPPxKXc.exe	96
PID 4540 set thread context of 1020	4540	wirar.exe	104
PID 3024 set thread context of 2072	3024	KFHVz2Plgr7F004P.exe	109
PID 2384 set thread context of 956	2384	images.exe	113
PID 1836 set thread context of 2004	1836	HESlDJFRB3QLwjNU.exe	116

Drops file in Windows directory 3 IoCs

description	ioc	Process
File opened for modification	C:\Windows\assembly	JaffaCakes118_ca774575a2253b0aa51d7294cc45e5b7.exe
File created	C:\Windows\assembly\Desktop.ini	JaffaCakes118_ca774575a2253b0aa51d7294cc45e5b7.exe
File opened for modification	C:\Windows\assembly\Desktop.ini	JaffaCakes118_ca774575a2253b0aa51d7294cc45e5b7.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 5 IoCs

pid	pid_target	Process	procid_target
3220	4328	WerFault.exe	83
2496	3264	WerFault.exe	84
4948	3024	WerFault.exe	102
4504	2384	WerFault.exe	108
4952	1836	WerFault.exe	103

System Location Discovery: System Language Discovery 1 TTPs 17 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_ca774575a2253b0aa51d7294cc45e5b7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_ca774575a2253b0aa51d7294cc45e5b7.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wirar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vQ1p1rvBjvPPxKXc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	wirar.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HESlDJFRB3QLwjNU.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	HESlDJFRB3QLwjNU.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	vQ1p1rvBjvPPxKXc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	images.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1OuniAu2Le7dBE2Q.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	1OuniAu2Le7dBE2Q.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KFHVz2Plgr7F004P.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	images.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	KFHVz2Plgr7F004P.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	JaffaCakes118_ca774575a2253b0aa51d7294cc45e5b7.exe

Suspicious behavior: EnumeratesProcesses 31 IoCs

pid	Process
2140	JaffaCakes118_ca774575a2253b0aa51d7294cc45e5b7.exe
2140	JaffaCakes118_ca774575a2253b0aa51d7294cc45e5b7.exe
4328	1OuniAu2Le7dBE2Q.exe
4328	1OuniAu2Le7dBE2Q.exe
4328	1OuniAu2Le7dBE2Q.exe
4328	1OuniAu2Le7dBE2Q.exe
4328	1OuniAu2Le7dBE2Q.exe
4328	1OuniAu2Le7dBE2Q.exe
4328	1OuniAu2Le7dBE2Q.exe
4328	1OuniAu2Le7dBE2Q.exe
4328	1OuniAu2Le7dBE2Q.exe
4328	1OuniAu2Le7dBE2Q.exe
4328	1OuniAu2Le7dBE2Q.exe
4328	1OuniAu2Le7dBE2Q.exe
4328	1OuniAu2Le7dBE2Q.exe
4328	1OuniAu2Le7dBE2Q.exe
4328	1OuniAu2Le7dBE2Q.exe
3264	vQ1p1rvBjvPPxKXc.exe
3264	vQ1p1rvBjvPPxKXc.exe
3264	vQ1p1rvBjvPPxKXc.exe
4540	wirar.exe
4540	wirar.exe
3024	KFHVz2Plgr7F004P.exe
3024	KFHVz2Plgr7F004P.exe
3024	KFHVz2Plgr7F004P.exe
2384	images.exe
2384	images.exe
2384	images.exe
1836	HESlDJFRB3QLwjNU.exe
1836	HESlDJFRB3QLwjNU.exe
1836	HESlDJFRB3QLwjNU.exe

Suspicious use of AdjustPrivilegeToken 55 IoCs

description	pid	Process
Token: SeDebugPrivilege	2140	JaffaCakes118_ca774575a2253b0aa51d7294cc45e5b7.exe
Token: SeIncreaseQuotaPrivilege	2636	JaffaCakes118_ca774575a2253b0aa51d7294cc45e5b7.exe
Token: SeSecurityPrivilege	2636	JaffaCakes118_ca774575a2253b0aa51d7294cc45e5b7.exe
Token: SeTakeOwnershipPrivilege	2636	JaffaCakes118_ca774575a2253b0aa51d7294cc45e5b7.exe
Token: SeLoadDriverPrivilege	2636	JaffaCakes118_ca774575a2253b0aa51d7294cc45e5b7.exe
Token: SeSystemProfilePrivilege	2636	JaffaCakes118_ca774575a2253b0aa51d7294cc45e5b7.exe
Token: SeSystemtimePrivilege	2636	JaffaCakes118_ca774575a2253b0aa51d7294cc45e5b7.exe
Token: SeProfSingleProcessPrivilege	2636	JaffaCakes118_ca774575a2253b0aa51d7294cc45e5b7.exe
Token: SeIncBasePriorityPrivilege	2636	JaffaCakes118_ca774575a2253b0aa51d7294cc45e5b7.exe
Token: SeCreatePagefilePrivilege	2636	JaffaCakes118_ca774575a2253b0aa51d7294cc45e5b7.exe
Token: SeBackupPrivilege	2636	JaffaCakes118_ca774575a2253b0aa51d7294cc45e5b7.exe
Token: SeRestorePrivilege	2636	JaffaCakes118_ca774575a2253b0aa51d7294cc45e5b7.exe
Token: SeShutdownPrivilege	2636	JaffaCakes118_ca774575a2253b0aa51d7294cc45e5b7.exe
Token: SeDebugPrivilege	2636	JaffaCakes118_ca774575a2253b0aa51d7294cc45e5b7.exe
Token: SeSystemEnvironmentPrivilege	2636	JaffaCakes118_ca774575a2253b0aa51d7294cc45e5b7.exe
Token: SeChangeNotifyPrivilege	2636	JaffaCakes118_ca774575a2253b0aa51d7294cc45e5b7.exe
Token: SeRemoteShutdownPrivilege	2636	JaffaCakes118_ca774575a2253b0aa51d7294cc45e5b7.exe
Token: SeUndockPrivilege	2636	JaffaCakes118_ca774575a2253b0aa51d7294cc45e5b7.exe
Token: SeManageVolumePrivilege	2636	JaffaCakes118_ca774575a2253b0aa51d7294cc45e5b7.exe
Token: SeImpersonatePrivilege	2636	JaffaCakes118_ca774575a2253b0aa51d7294cc45e5b7.exe
Token: SeCreateGlobalPrivilege	2636	JaffaCakes118_ca774575a2253b0aa51d7294cc45e5b7.exe
Token: 33	2636	JaffaCakes118_ca774575a2253b0aa51d7294cc45e5b7.exe
Token: 34	2636	JaffaCakes118_ca774575a2253b0aa51d7294cc45e5b7.exe
Token: 35	2636	JaffaCakes118_ca774575a2253b0aa51d7294cc45e5b7.exe
Token: 36	2636	JaffaCakes118_ca774575a2253b0aa51d7294cc45e5b7.exe
Token: SeDebugPrivilege	4328	1OuniAu2Le7dBE2Q.exe
Token: SeDebugPrivilege	3264	vQ1p1rvBjvPPxKXc.exe
Token: SeDebugPrivilege	4540	wirar.exe
Token: SeIncreaseQuotaPrivilege	1020	wirar.exe
Token: SeSecurityPrivilege	1020	wirar.exe
Token: SeTakeOwnershipPrivilege	1020	wirar.exe
Token: SeLoadDriverPrivilege	1020	wirar.exe
Token: SeSystemProfilePrivilege	1020	wirar.exe
Token: SeSystemtimePrivilege	1020	wirar.exe
Token: SeProfSingleProcessPrivilege	1020	wirar.exe
Token: SeIncBasePriorityPrivilege	1020	wirar.exe
Token: SeCreatePagefilePrivilege	1020	wirar.exe
Token: SeBackupPrivilege	1020	wirar.exe
Token: SeRestorePrivilege	1020	wirar.exe
Token: SeShutdownPrivilege	1020	wirar.exe
Token: SeDebugPrivilege	1020	wirar.exe
Token: SeSystemEnvironmentPrivilege	1020	wirar.exe
Token: SeChangeNotifyPrivilege	1020	wirar.exe
Token: SeRemoteShutdownPrivilege	1020	wirar.exe
Token: SeUndockPrivilege	1020	wirar.exe
Token: SeManageVolumePrivilege	1020	wirar.exe
Token: SeImpersonatePrivilege	1020	wirar.exe
Token: SeCreateGlobalPrivilege	1020	wirar.exe
Token: 33	1020	wirar.exe
Token: 34	1020	wirar.exe
Token: 35	1020	wirar.exe
Token: 36	1020	wirar.exe
Token: SeDebugPrivilege	3024	KFHVz2Plgr7F004P.exe
Token: SeDebugPrivilege	2384	images.exe
Token: SeDebugPrivilege	1836	HESlDJFRB3QLwjNU.exe

Suspicious use of SetWindowsHookEx 1 IoCs

pid	Process
1020	wirar.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2140 wrote to memory of 4328	2140	JaffaCakes118_ca774575a2253b0aa51d7294cc45e5b7.exe	83
PID 2140 wrote to memory of 4328	2140	JaffaCakes118_ca774575a2253b0aa51d7294cc45e5b7.exe	83
PID 2140 wrote to memory of 4328	2140	JaffaCakes118_ca774575a2253b0aa51d7294cc45e5b7.exe	83
PID 2140 wrote to memory of 3264	2140	JaffaCakes118_ca774575a2253b0aa51d7294cc45e5b7.exe	84
PID 2140 wrote to memory of 3264	2140	JaffaCakes118_ca774575a2253b0aa51d7294cc45e5b7.exe	84
PID 2140 wrote to memory of 3264	2140	JaffaCakes118_ca774575a2253b0aa51d7294cc45e5b7.exe	84
PID 2140 wrote to memory of 2636	2140	JaffaCakes118_ca774575a2253b0aa51d7294cc45e5b7.exe	85
PID 2140 wrote to memory of 2636	2140	JaffaCakes118_ca774575a2253b0aa51d7294cc45e5b7.exe	85
PID 2140 wrote to memory of 2636	2140	JaffaCakes118_ca774575a2253b0aa51d7294cc45e5b7.exe	85
PID 2140 wrote to memory of 2636	2140	JaffaCakes118_ca774575a2253b0aa51d7294cc45e5b7.exe	85
PID 2140 wrote to memory of 2636	2140	JaffaCakes118_ca774575a2253b0aa51d7294cc45e5b7.exe	85
PID 2140 wrote to memory of 2636	2140	JaffaCakes118_ca774575a2253b0aa51d7294cc45e5b7.exe	85
PID 2140 wrote to memory of 2636	2140	JaffaCakes118_ca774575a2253b0aa51d7294cc45e5b7.exe	85
PID 2140 wrote to memory of 2636	2140	JaffaCakes118_ca774575a2253b0aa51d7294cc45e5b7.exe	85
PID 2140 wrote to memory of 2636	2140	JaffaCakes118_ca774575a2253b0aa51d7294cc45e5b7.exe	85
PID 2140 wrote to memory of 2636	2140	JaffaCakes118_ca774575a2253b0aa51d7294cc45e5b7.exe	85
PID 2140 wrote to memory of 2636	2140	JaffaCakes118_ca774575a2253b0aa51d7294cc45e5b7.exe	85
PID 2140 wrote to memory of 2636	2140	JaffaCakes118_ca774575a2253b0aa51d7294cc45e5b7.exe	85
PID 2636 wrote to memory of 4540	2636	JaffaCakes118_ca774575a2253b0aa51d7294cc45e5b7.exe	86
PID 2636 wrote to memory of 4540	2636	JaffaCakes118_ca774575a2253b0aa51d7294cc45e5b7.exe	86
PID 2636 wrote to memory of 4540	2636	JaffaCakes118_ca774575a2253b0aa51d7294cc45e5b7.exe	86
PID 4328 wrote to memory of 1940	4328	1OuniAu2Le7dBE2Q.exe	87
PID 4328 wrote to memory of 1940	4328	1OuniAu2Le7dBE2Q.exe	87
PID 4328 wrote to memory of 1940	4328	1OuniAu2Le7dBE2Q.exe	87
PID 4328 wrote to memory of 4012	4328	1OuniAu2Le7dBE2Q.exe	88
PID 4328 wrote to memory of 4012	4328	1OuniAu2Le7dBE2Q.exe	88
PID 4328 wrote to memory of 4012	4328	1OuniAu2Le7dBE2Q.exe	88
PID 4328 wrote to memory of 3520	4328	1OuniAu2Le7dBE2Q.exe	89
PID 4328 wrote to memory of 3520	4328	1OuniAu2Le7dBE2Q.exe	89
PID 4328 wrote to memory of 3520	4328	1OuniAu2Le7dBE2Q.exe	89
PID 4328 wrote to memory of 3420	4328	1OuniAu2Le7dBE2Q.exe	90
PID 4328 wrote to memory of 3420	4328	1OuniAu2Le7dBE2Q.exe	90
PID 4328 wrote to memory of 3420	4328	1OuniAu2Le7dBE2Q.exe	90
PID 4328 wrote to memory of 3420	4328	1OuniAu2Le7dBE2Q.exe	90
PID 4328 wrote to memory of 3420	4328	1OuniAu2Le7dBE2Q.exe	90
PID 4328 wrote to memory of 3420	4328	1OuniAu2Le7dBE2Q.exe	90
PID 4328 wrote to memory of 3420	4328	1OuniAu2Le7dBE2Q.exe	90
PID 4328 wrote to memory of 3420	4328	1OuniAu2Le7dBE2Q.exe	90
PID 4328 wrote to memory of 3420	4328	1OuniAu2Le7dBE2Q.exe	90
PID 4328 wrote to memory of 3420	4328	1OuniAu2Le7dBE2Q.exe	90
PID 4328 wrote to memory of 3420	4328	1OuniAu2Le7dBE2Q.exe	90
PID 3420 wrote to memory of 2288	3420	1OuniAu2Le7dBE2Q.exe	95
PID 3420 wrote to memory of 2288	3420	1OuniAu2Le7dBE2Q.exe	95
PID 3420 wrote to memory of 2288	3420	1OuniAu2Le7dBE2Q.exe	95
PID 3264 wrote to memory of 4664	3264	vQ1p1rvBjvPPxKXc.exe	96
PID 3264 wrote to memory of 4664	3264	vQ1p1rvBjvPPxKXc.exe	96
PID 3264 wrote to memory of 4664	3264	vQ1p1rvBjvPPxKXc.exe	96
PID 3264 wrote to memory of 4664	3264	vQ1p1rvBjvPPxKXc.exe	96
PID 3264 wrote to memory of 4664	3264	vQ1p1rvBjvPPxKXc.exe	96
PID 3264 wrote to memory of 4664	3264	vQ1p1rvBjvPPxKXc.exe	96
PID 3264 wrote to memory of 4664	3264	vQ1p1rvBjvPPxKXc.exe	96
PID 3264 wrote to memory of 4664	3264	vQ1p1rvBjvPPxKXc.exe	96
PID 3264 wrote to memory of 4664	3264	vQ1p1rvBjvPPxKXc.exe	96
PID 3264 wrote to memory of 4664	3264	vQ1p1rvBjvPPxKXc.exe	96
PID 3264 wrote to memory of 4664	3264	vQ1p1rvBjvPPxKXc.exe	96
PID 4540 wrote to memory of 3024	4540	wirar.exe	102
PID 4540 wrote to memory of 3024	4540	wirar.exe	102
PID 4540 wrote to memory of 3024	4540	wirar.exe	102
PID 4540 wrote to memory of 1836	4540	wirar.exe	103
PID 4540 wrote to memory of 1836	4540	wirar.exe	103
PID 4540 wrote to memory of 1836	4540	wirar.exe	103
PID 4540 wrote to memory of 1020	4540	wirar.exe	104
PID 4540 wrote to memory of 1020	4540	wirar.exe	104
PID 4540 wrote to memory of 1020	4540	wirar.exe	104

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ca774575a2253b0aa51d7294cc45e5b7.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ca774575a2253b0aa51d7294cc45e5b7.exe"
1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2140
- C:\Users\Admin\AppData\Local\Temp\1OuniAu2Le7dBE2Q.exe
  "C:\Users\Admin\AppData\Local\Temp\1OuniAu2Le7dBE2Q.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:4328
- - C:\Users\Admin\AppData\Local\Temp\1OuniAu2Le7dBE2Q.exe
    "C:\Users\Admin\AppData\Local\Temp\1OuniAu2Le7dBE2Q.exe"
    3⤵
    - Executes dropped EXE
    PID:1940
- - C:\Users\Admin\AppData\Local\Temp\1OuniAu2Le7dBE2Q.exe
    "C:\Users\Admin\AppData\Local\Temp\1OuniAu2Le7dBE2Q.exe"
    3⤵
    - Executes dropped EXE
    PID:4012
- - C:\Users\Admin\AppData\Local\Temp\1OuniAu2Le7dBE2Q.exe
    "C:\Users\Admin\AppData\Local\Temp\1OuniAu2Le7dBE2Q.exe"
    3⤵
    - Executes dropped EXE
    PID:3520
- - C:\Users\Admin\AppData\Local\Temp\1OuniAu2Le7dBE2Q.exe
    "C:\Users\Admin\AppData\Local\Temp\1OuniAu2Le7dBE2Q.exe"
    3⤵
    - Executes dropped EXE
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:3420
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe"
      4⤵
      System Location Discovery: System Language Discovery
      PID:2288
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 4328 -s 1180
    3⤵
    - Program crash
    PID:3220
- C:\Users\Admin\AppData\Local\Temp\vQ1p1rvBjvPPxKXc.exe
  "C:\Users\Admin\AppData\Local\Temp\vQ1p1rvBjvPPxKXc.exe"
  2⤵
  - Executes dropped EXE
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious behavior: EnumeratesProcesses
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3264
- - C:\Users\Admin\AppData\Local\Temp\vQ1p1rvBjvPPxKXc.exe
    "C:\Users\Admin\AppData\Local\Temp\vQ1p1rvBjvPPxKXc.exe"
    3⤵
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    PID:4664
  - - C:\ProgramData\images.exe
      "C:\ProgramData\images.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:2384
    - - C:\ProgramData\images.exe
        
        "C:\ProgramData\images.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:956
      - C:\Windows\SysWOW64\cmd.exe
        
        "C:\Windows\System32\cmd.exe"
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:4640
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2384 -s 1096
        5⤵
        Program crash
        
        PID:4504
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 3264 -s 1108
    3⤵
    - Program crash
    PID:2496
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ca774575a2253b0aa51d7294cc45e5b7.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_ca774575a2253b0aa51d7294cc45e5b7.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Drops file in Drivers directory
  - Checks computer location settings
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Modifies registry class
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2636
- - C:\Users\Admin\Documents\wirar.exe
    "C:\Users\Admin\Documents\wirar.exe"
    3⤵
    - Checks computer location settings
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious behavior: EnumeratesProcesses
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4540
  - - C:\Users\Admin\AppData\Local\Temp\KFHVz2Plgr7F004P.exe
      "C:\Users\Admin\AppData\Local\Temp\KFHVz2Plgr7F004P.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:3024
    - - C:\Users\Admin\AppData\Local\Temp\KFHVz2Plgr7F004P.exe
        
        "C:\Users\Admin\AppData\Local\Temp\KFHVz2Plgr7F004P.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2072
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 3024 -s 1164
        5⤵
        Program crash
        
        PID:4948
  - - C:\Users\Admin\AppData\Local\Temp\HESlDJFRB3QLwjNU.exe
      "C:\Users\Admin\AppData\Local\Temp\HESlDJFRB3QLwjNU.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious behavior: EnumeratesProcesses
      Suspicious use of AdjustPrivilegeToken
      PID:1836
    - - C:\Users\Admin\AppData\Local\Temp\HESlDJFRB3QLwjNU.exe
        
        "C:\Users\Admin\AppData\Local\Temp\HESlDJFRB3QLwjNU.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2004
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1836 -s 1076
        5⤵
        Program crash
        
        PID:4952
  - - C:\Users\Admin\Documents\wirar.exe
      "C:\Users\Admin\Documents\wirar.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:1020
    - - C:\Windows\SysWOW64\notepad.exe
        
        notepad
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1696

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 4328 -ip 4328
1⤵
PID:4428

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 476 -p 3264 -ip 3264
1⤵
PID:988

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 468 -p 3024 -ip 3024
1⤵
PID:1468

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 464 -p 2384 -ip 2384
1⤵
PID:4412

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 496 -p 1836 -ip 1836
1⤵
PID:4912

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\1OuniAu2Le7dBE2Q.exe

Filesize
646KB

MD5
451ab0b0c52f20e51e8fcdb8b2b97d2e

SHA1
677179dfdb1576fcee1c064916735aae6e4e8ae1

SHA256
4980a38edecf75929294468ab5e32a26cc235d2544a9047de66c4620c9f835d0

SHA512
697ed282486addf8f0da329deaa9134790d6b4766f5bc7be37f466f3e16aa2167286c57fd3771c96177a78698f93a6e674d2efaebda5f8da5d330a714821d8c1

Download Submit
C:\Users\Admin\AppData\Local\Temp\vQ1p1rvBjvPPxKXc.exe

Filesize
588KB

MD5
72d376e15678248531147e2b99a5506a

SHA1
b00bbc94047cbfecd2252630f223432a0655040d

SHA256
b7c6b990631465389889e1d1e5760044a161f60886ed05a2f9930288e59084e7

SHA512
3a2b6f1810bdc4d8e6807d5d7e1f8db9a81ea3527bfc03b0c8435da3223ace84af9cc27d83be1d1d65e1a21b382b2686b87ace6f7d31ba6fab7d3beed72ea193

Download Submit
C:\Users\Admin\Documents\wirar.exe

Filesize
1.8MB

MD5
ca774575a2253b0aa51d7294cc45e5b7

SHA1
150df3f0e8e861f802157084bc64a8ec8b34fa42

SHA256
62db18b1b1d4ac66d198ecfbc1195dc13373fd29833c58bf71cfa4255679c578

SHA512
8fd26c938e24f67c1f25e22bc59b73ffcf44ecdf6454eddf42d7ccb19fa132533b5d8ac2a2aea43c298e9c1858d769a5c9b514db71441daacec32a35c4573b07

Download Submit
memory/1020-134-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1020-138-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1020-137-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/1696-136-0x0000000000F40000-0x0000000000F41000-memory.dmp

Filesize
4KB

Download
memory/2140-0-0x0000000074DA2000-0x0000000074DA3000-memory.dmp

Filesize
4KB

Download
memory/2140-103-0x0000000074DA0000-0x0000000075351000-memory.dmp

Filesize
5.7MB

Download
memory/2140-102-0x0000000074DA2000-0x0000000074DA3000-memory.dmp

Filesize
4KB

Download
memory/2140-2-0x0000000074DA0000-0x0000000075351000-memory.dmp

Filesize
5.7MB

Download
memory/2140-1-0x0000000074DA0000-0x0000000075351000-memory.dmp

Filesize
5.7MB

Download
memory/2288-139-0x0000000000700000-0x0000000000701000-memory.dmp

Filesize
4KB

Download
memory/2636-29-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2636-37-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2636-31-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/2636-28-0x0000000000400000-0x00000000004BA000-memory.dmp

Filesize
744KB

Download
memory/3264-130-0x0000000074DA0000-0x0000000075351000-memory.dmp

Filesize
5.7MB

Download
memory/3264-34-0x0000000074DA0000-0x0000000075351000-memory.dmp

Filesize
5.7MB

Download
memory/3420-101-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/3420-98-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/4328-108-0x0000000074DA0000-0x0000000075351000-memory.dmp

Filesize
5.7MB

Download
memory/4328-26-0x0000000074DA0000-0x0000000075351000-memory.dmp

Filesize
5.7MB

Download
memory/4328-32-0x0000000074DA0000-0x0000000075351000-memory.dmp

Filesize
5.7MB

Download
memory/4328-30-0x0000000074DA0000-0x0000000075351000-memory.dmp

Filesize
5.7MB

Download
memory/4640-157-0x0000000000BC0000-0x0000000000BC1000-memory.dmp

Filesize
4KB

Download
memory/4664-104-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download
memory/4664-106-0x0000000000400000-0x0000000000554000-memory.dmp

Filesize
1.3MB

Download