darkcomet | 57fd41c4cf91214e1d1bd6c7ab784072f03b0253ceb493b9976d34e03220fd0c

Analysis

max time kernel
122s
max time network
122s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
29-01-2025 23:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe
Size

1.1MB
MD5

5c7bcd08091c8bdd42f289967fa4f364
SHA1

4ee9545b874b21cbde906fda3d233e7d4af8b300
SHA256

57fd41c4cf91214e1d1bd6c7ab784072f03b0253ceb493b9976d34e03220fd0c
SHA512

40224376a8810a2ed13eea3179b181d08544e94a7aef83a075c06c0997078c201f6b4bd9502074a9eb14431b1da1649ddac15a98309333f596baaded3b1fa86b
SSDEEP

24576:PCh6a/FoVKghO6EtOSCjonOmuZRe1Lhht0Arm5ZVbt:PCh5toVKfA6MSn0ArmTVx

Score

10^/10

darkcomet guest16 defense_evasion discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

sabahhassan.no-ip.biz:1604

Mutex

DC_MUTEX-MHPA3BK

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
MAYkZ7Pow4iS
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe

Modifies firewall policy service 3 TTPs 3 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	msdcsc.exe

Windows security bypass 2 TTPs 2 IoCs

defense_evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	msdcsc.exe

Disables RegEdit via registry modification 1 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	msdcsc.exe

Disables Task Manager via registry modification
defense_evasion

Downloads MZ/PE file 2 IoCs

flow	pid	Process
7	2672	Install 8BallRuler.exe
12	1800	Install 8BallRuler.exe

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2952	attrib.exe
2072	attrib.exe

Deletes itself 1 IoCs

pid	Process
1828	notepad.exe

Executes dropped EXE 7 IoCs

pid	Process
2820	8BALLRULER+1.1+(WIN).EXE
2672	Install 8BallRuler.exe
3000	msdcsc.exe
2908	msdcsc.exe
604	msdcsc.exe
2580	8BALLRULER+1.1+(WIN).EXE
1800	Install 8BallRuler.exe

Loads dropped DLL 12 IoCs

pid	Process
1764	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe
2820	8BALLRULER+1.1+(WIN).EXE
2820	8BALLRULER+1.1+(WIN).EXE
2820	8BALLRULER+1.1+(WIN).EXE
2820	8BALLRULER+1.1+(WIN).EXE
1764	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe
1764	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe
604	msdcsc.exe
2580	8BALLRULER+1.1+(WIN).EXE
2580	8BALLRULER+1.1+(WIN).EXE
2580	8BALLRULER+1.1+(WIN).EXE
2580	8BALLRULER+1.1+(WIN).EXE

Windows security modification 2 TTPs 2 IoCs

defense_evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	msdcsc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	msdcsc.exe

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 2684 set thread context of 1928	2684	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	30
PID 1928 set thread context of 1764	1928	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	31
PID 3000 set thread context of 2908	3000	msdcsc.exe	43
PID 2908 set thread context of 604	2908	msdcsc.exe	44
PID 604 set thread context of 1540	604	msdcsc.exe	48

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	iexplore.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8BALLRULER+1.1+(WIN).EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install 8BallRuler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install 8BallRuler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8BALLRULER+1.1+(WIN).EXE

Modifies system certificate store 2 TTPs 2 IoCs

defense_evasion spyware trojan

Install Root Certificate

T1553.004

Modify Registry

T1112

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436	Install 8BallRuler.exe
Set value (data)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\SystemCertificates\AuthRoot\Certificates\A8985D3A65E5E5C4B2D7D66D40C6DD2FB19C5436\Blob = 04000000010000001000000079e4a9840d7d3a96d7c04fe2434c892e0f0000000100000014000000b34ddd372ed92e8f2abfbb9e20a9d31f204f194b090000000100000034000000303206082b0601050507030106082b0601050507030206082b0601050507030406082b0601050507030306082b0601050507030814000000010000001400000003de503556d14cbb66f0a3e21b1bc397b23dd1550b00000001000000120000004400690067006900430065007200740000001d000000010000001000000059779e39e21a2e3dfced6857ed5c5fd9030000000100000014000000a8985d3a65e5e5c4b2d7d66d40c6dd2fb19c54361900000001000000100000000f3a0527d242de2dc98e5cfcb1e991ee2000000001000000b3030000308203af30820297a0030201020210083be056904246b1a1756ac95991c74a300d06092a864886f70d01010505003061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f74204341301e170d3036313131303030303030305a170d3331313131303030303030305a3061310b300906035504061302555331153013060355040a130c446967694365727420496e6331193017060355040b13107777772e64696769636572742e636f6d3120301e06035504031317446967694365727420476c6f62616c20526f6f7420434130820122300d06092a864886f70d01010105000382010f003082010a0282010100e23be11172dea8a4d3a357aa50a28f0b7790c9a2a5ee12ce965b010920cc0193a74e30b753f743c46900579de28d22dd870640008109cece1b83bfdfcd3b7146e2d666c705b37627168f7b9e1e957deeb748a308dad6af7a0c3906657f4a5d1fbc17f8abbeee28d7747f7a78995985686e5c23324bbf4ec0e85a6de370bf7710bffc01f685d9a844105832a97518d5d1a2be47e2276af49a33f84908608bd45fb43a84bfa1aa4a4c7d3ecf4f5f6c765ea04b37919edc22e66dce141a8e6acbfecdb3146417c75b299e32bff2eefad30b42d4abb74132da0cd4eff881d5bb8d583fb51be84928a270da3104ddf7b216f24c0a4e07a8ed4a3d5eb57fa390c3af270203010001a3633061300e0603551d0f0101ff040403020186300f0603551d130101ff040530030101ff301d0603551d0e0416041403de503556d14cbb66f0a3e21b1bc397b23dd155301f0603551d2304183016801403de503556d14cbb66f0a3e21b1bc397b23dd155300d06092a864886f70d01010505000382010100cb9c37aa4813120afadd449c4f52b0f4dfae04f5797908a32418fc4b2b84c02db9d5c7fef4c11f58cbb86d9c7a74e79829ab11b5e370a0a1cd4c8899938c9170e2ab0f1cbe93a9ff63d5e40760d3a3bf9d5b09f1d58ee353f48e63fa3fa7dbb466df6266d6d16e418df22db5ea774a9f9d58e22b59c04023ed2d2882453e7954922698e08048a837eff0d6796016deace80ecd6eac4417382f49dae1453e2ab93653cf3a5006f72ee8c457496c612118d504ad783c2c3a806ba7ebaf1514e9d889c1b9386ce2916c8aff64b977255730c01b24a3e1dce9df477cb5b424080530ec2dbd0bbf45bf50b9a9f3eb980112adc888c698345f8d0a3cc6e9d595956dde	Install 8BallRuler.exe

Suspicious use of AdjustPrivilegeToken 46 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	1764	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe
Token: SeSecurityPrivilege	1764	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe
Token: SeTakeOwnershipPrivilege	1764	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe
Token: SeLoadDriverPrivilege	1764	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe
Token: SeSystemProfilePrivilege	1764	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe
Token: SeSystemtimePrivilege	1764	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe
Token: SeProfSingleProcessPrivilege	1764	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe
Token: SeIncBasePriorityPrivilege	1764	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe
Token: SeCreatePagefilePrivilege	1764	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe
Token: SeBackupPrivilege	1764	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe
Token: SeRestorePrivilege	1764	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe
Token: SeShutdownPrivilege	1764	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe
Token: SeDebugPrivilege	1764	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe
Token: SeSystemEnvironmentPrivilege	1764	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe
Token: SeChangeNotifyPrivilege	1764	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe
Token: SeRemoteShutdownPrivilege	1764	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe
Token: SeUndockPrivilege	1764	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe
Token: SeManageVolumePrivilege	1764	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe
Token: SeImpersonatePrivilege	1764	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe
Token: SeCreateGlobalPrivilege	1764	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe
Token: 33	1764	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe
Token: 34	1764	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe
Token: 35	1764	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe
Token: SeIncreaseQuotaPrivilege	604	msdcsc.exe
Token: SeSecurityPrivilege	604	msdcsc.exe
Token: SeTakeOwnershipPrivilege	604	msdcsc.exe
Token: SeLoadDriverPrivilege	604	msdcsc.exe
Token: SeSystemProfilePrivilege	604	msdcsc.exe
Token: SeSystemtimePrivilege	604	msdcsc.exe
Token: SeProfSingleProcessPrivilege	604	msdcsc.exe
Token: SeIncBasePriorityPrivilege	604	msdcsc.exe
Token: SeCreatePagefilePrivilege	604	msdcsc.exe
Token: SeBackupPrivilege	604	msdcsc.exe
Token: SeRestorePrivilege	604	msdcsc.exe
Token: SeShutdownPrivilege	604	msdcsc.exe
Token: SeDebugPrivilege	604	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	604	msdcsc.exe
Token: SeChangeNotifyPrivilege	604	msdcsc.exe
Token: SeRemoteShutdownPrivilege	604	msdcsc.exe
Token: SeUndockPrivilege	604	msdcsc.exe
Token: SeManageVolumePrivilege	604	msdcsc.exe
Token: SeImpersonatePrivilege	604	msdcsc.exe
Token: SeCreateGlobalPrivilege	604	msdcsc.exe
Token: 33	604	msdcsc.exe
Token: 34	604	msdcsc.exe
Token: 35	604	msdcsc.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
2684	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe
2684	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe
1928	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe
3000	msdcsc.exe
3000	msdcsc.exe
2908	msdcsc.exe
1540	iexplore.exe
1540	iexplore.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2684 wrote to memory of 1928	2684	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	30
PID 2684 wrote to memory of 1928	2684	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	30
PID 2684 wrote to memory of 1928	2684	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	30
PID 2684 wrote to memory of 1928	2684	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	30
PID 2684 wrote to memory of 1928	2684	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	30
PID 2684 wrote to memory of 1928	2684	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	30
PID 2684 wrote to memory of 1928	2684	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	30
PID 2684 wrote to memory of 1928	2684	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	30
PID 2684 wrote to memory of 1928	2684	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	30
PID 1928 wrote to memory of 1764	1928	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	31
PID 1928 wrote to memory of 1764	1928	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	31
PID 1928 wrote to memory of 1764	1928	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	31
PID 1928 wrote to memory of 1764	1928	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	31
PID 1928 wrote to memory of 1764	1928	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	31
PID 1928 wrote to memory of 1764	1928	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	31
PID 1928 wrote to memory of 1764	1928	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	31
PID 1928 wrote to memory of 1764	1928	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	31
PID 1928 wrote to memory of 1764	1928	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	31
PID 1928 wrote to memory of 1764	1928	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	31
PID 1928 wrote to memory of 1764	1928	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	31
PID 1928 wrote to memory of 1764	1928	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	31
PID 1928 wrote to memory of 1764	1928	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	31
PID 1764 wrote to memory of 2860	1764	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	32
PID 1764 wrote to memory of 2860	1764	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	32
PID 1764 wrote to memory of 2860	1764	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	32
PID 1764 wrote to memory of 2860	1764	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	32
PID 1764 wrote to memory of 2872	1764	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	33
PID 1764 wrote to memory of 2872	1764	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	33
PID 1764 wrote to memory of 2872	1764	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	33
PID 1764 wrote to memory of 2872	1764	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	33
PID 1764 wrote to memory of 2820	1764	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	36
PID 1764 wrote to memory of 2820	1764	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	36
PID 1764 wrote to memory of 2820	1764	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	36
PID 1764 wrote to memory of 2820	1764	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	36
PID 2872 wrote to memory of 2072	2872	cmd.exe	37
PID 2872 wrote to memory of 2072	2872	cmd.exe	37
PID 2872 wrote to memory of 2072	2872	cmd.exe	37
PID 2872 wrote to memory of 2072	2872	cmd.exe	37
PID 2860 wrote to memory of 2952	2860	cmd.exe	38
PID 2860 wrote to memory of 2952	2860	cmd.exe	38
PID 2860 wrote to memory of 2952	2860	cmd.exe	38
PID 2860 wrote to memory of 2952	2860	cmd.exe	38
PID 2820 wrote to memory of 2672	2820	8BALLRULER+1.1+(WIN).EXE	39
PID 2820 wrote to memory of 2672	2820	8BALLRULER+1.1+(WIN).EXE	39
PID 2820 wrote to memory of 2672	2820	8BALLRULER+1.1+(WIN).EXE	39
PID 2820 wrote to memory of 2672	2820	8BALLRULER+1.1+(WIN).EXE	39
PID 2820 wrote to memory of 2672	2820	8BALLRULER+1.1+(WIN).EXE	39
PID 2820 wrote to memory of 2672	2820	8BALLRULER+1.1+(WIN).EXE	39
PID 2820 wrote to memory of 2672	2820	8BALLRULER+1.1+(WIN).EXE	39
PID 1764 wrote to memory of 1828	1764	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	41
PID 1764 wrote to memory of 1828	1764	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	41
PID 1764 wrote to memory of 1828	1764	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	41
PID 1764 wrote to memory of 1828	1764	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	41
PID 1764 wrote to memory of 1828	1764	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	41
PID 1764 wrote to memory of 1828	1764	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	41
PID 1764 wrote to memory of 1828	1764	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	41
PID 1764 wrote to memory of 1828	1764	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	41
PID 1764 wrote to memory of 1828	1764	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	41
PID 1764 wrote to memory of 1828	1764	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	41
PID 1764 wrote to memory of 1828	1764	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	41
PID 1764 wrote to memory of 1828	1764	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	41
PID 1764 wrote to memory of 1828	1764	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	41
PID 1764 wrote to memory of 1828	1764	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	41
PID 1764 wrote to memory of 1828	1764	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	41

Views/modifies file attributes 1 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2952	attrib.exe
2072	attrib.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2684
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:1928
- - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Loads dropped DLL
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:1764
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe" +s +h
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2860
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe" +s +h
        5⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:2952
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2872
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
        5⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:2072
  - - C:\Users\Admin\AppData\Local\Temp\8BALLRULER+1.1+(WIN).EXE
      "C:\Users\Admin\AppData\Local\Temp\8BALLRULER+1.1+(WIN).EXE"
      4⤵
      Executes dropped EXE
      Loads dropped DLL
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2820
    - - C:\Users\Admin\AppData\Local\Temp\AIR8334.tmp\Install 8BallRuler.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AIR8334.tmp\Install 8BallRuler.exe"
        5⤵
        Downloads MZ/PE file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        Modifies system certificate store
        
        PID:2672
  - - C:\Windows\SysWOW64\notepad.exe
      notepad
      4⤵
      Deletes itself
      System Location Discovery: System Language Discovery
      PID:1828
  - - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
      "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      PID:3000
    - - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:2908
      - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        6⤵
        Modifies firewall policy service
        Windows security bypass
        Disables RegEdit via registry modification
        Executes dropped EXE
        Loads dropped DLL
        Windows security modification
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:604
        
        C:\Users\Admin\AppData\Local\Temp\8BALLRULER+1.1+(WIN).EXE
        
        "C:\Users\Admin\AppData\Local\Temp\8BALLRULER+1.1+(WIN).EXE"
        7⤵
        Executes dropped EXE
        Loads dropped DLL
        System Location Discovery: System Language Discovery
        
        PID:2580
        
        C:\Users\Admin\AppData\Local\Temp\AIR89C9.tmp\Install 8BallRuler.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AIR89C9.tmp\Install 8BallRuler.exe"
        8⤵
        Downloads MZ/PE file
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:1800
        
        C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        7⤵
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:1540

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Subvert Trust Controls

T1553

Install Root Certificate

T1553.004

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
878f8d66bb54f3eb67e664b651d8c43c

SHA1
cc64c26e0857e82d44e841b76a0c7e2e18693e5b

SHA256
93389569d9a9cc286958599ff2721f6dcd2212ce0347130cc581bea02c8e49bd

SHA512
8e1d942672608ffd658015aee869ef45197bfb9d0a949633c552ed3aab06bb52416188db2b4bdabea4b5acb8f47708c32dff87d7d9535b750b968bc82e21cb37

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
400B

MD5
5cb06f7b825129f508e9c369e553192f

SHA1
4f54c964919aa15a34def03f6b86c1a413a2140f

SHA256
223e58467e020dabde666a95bdc8fc5f34483b058decd715c971d41ca7bf6212

SHA512
c4bac3582d2ae14defdc233c39543fb0bec7925a04b489e8f19d78ee3afb05dc0e9d2dbef8b7bdd0b12508a1de5658e30043c057cd79aeb80c67fde173a12b99

Download Submit
C:\Users\Admin\AppData\Local\Adobe\AIR\logs\Install.log

Filesize
308B

MD5
62de85183639be68e6ebeee9021fd3fb

SHA1
3b15b09170443b315b81c25ccf9a46b1186f3086

SHA256
f9a1661b2d5787083ca0ff2b6ece5404677abd1a5f7ffe428c22c983d8b9b2ff

SHA512
efc3a6c9d7c5150b1529b0ca0fad5881c20f2885d0695c4cf625d55f031fd056525571e698bddd4bcb82a116694693bf52ad574d6bb994502db809ce8866c79b

Download Submit
C:\Users\Admin\AppData\Local\Adobe\AIR\logs\Install.log

Filesize
517B

MD5
4accfaf741a0cedd8cc3d5fa6154c441

SHA1
c1093aadb062350395fe702f4235e16a52515b62

SHA256
cb7c9627ada0a7eab55e7957cf00a351ab6dbc3788da3d7fc6e30febe3f0d188

SHA512
5a5c5eeb1752a1a527f43c9582757244c9c32400d2e3d7a5d66b6fea8eb007f33e25eed0ec1d0b1f63b6ebc0bb09c559be40f6ff75f96a3dbb9debee4fe8aaec

Download Submit
C:\Users\Admin\AppData\Local\Adobe\AIR\logs\Install.log

Filesize
921B

MD5
e90aff00748a2d732e46df66aaf42295

SHA1
b1d0677acbaca974c52d4de8aace7592bd15c273

SHA256
40d2abd34b4802b96c206038df2d93ea203b934a50ec4457f52860c225ae90ca

SHA512
84c9b028cfb8df229d739ed1248f68a0ee94c20267b6a3b99bd3d35ee196a422414ee8214c0ba4631868dc21252e0de05a7473479b295bd72bb77217f68cb495

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIR8334.tmp\.launch

Filesize
22B

MD5
030cf67122e16c6fb7a1d9712b2f3e25

SHA1
b2944a75dc99b0859dd19d8b9204de467e2e0d56

SHA256
68d6e0d1a7327895b8069ec31135744461a1586d0a5874d8e5eb882d3dcd0556

SHA512
3246b49861325768f454db2c5ddb76439be4fa16a0a3a5f197905a3bf596c28fca839d0b203c5d40a60f18e489fee3bf86e03323580f3ff4064d74cf67635e0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\Cab95E9.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-2872745919-2748461613-2989606286-1000\699c4b9cdebca7aaea5193cae8a50098_4d69f9e1-559c-46cf-82ac-67913db47c55

Filesize
50B

MD5
5b63d4dd8c04c88c0e30e494ec6a609a

SHA1
884d5a8bdc25fe794dc22ef9518009dcf0069d09

SHA256
4d93c22555b3169e5c13716ca59b8b22892c69b3025aea841afe5259698102fd

SHA512
15ff8551ac6b9de978050569bcdc26f44dfc06a0eaf445ac70fd45453a21bdafa3e4c8b4857d6a1c3226f4102a639682bdfb71d7b255062fb81a51c9126896cb

Download Submit
\Users\Admin\AppData\Local\Temp\8BALLRULER+1.1+(WIN).EXE

Filesize
363KB

MD5
4b0fe4b36e5ed0f224bf6f2108ba9e9e

SHA1
948b52946060ad29c94b4e2d150e2a77bbee4c5e

SHA256
bc09b11b3963f2ea59fce5bc783e5d2592bb888d037adba030b54bf2165281b8

SHA512
1caf3f179c9de1c7de46cc3e9f8708b0549e1c57b1a63fce6fe11fb20037e58a4d51286b8cc72029a290f67152edb1886f6067c9c17da4af790d49eeae5e56e3

Download Submit
\Users\Admin\AppData\Local\Temp\AIR8334.tmp\Install 8BallRuler.exe

Filesize
125KB

MD5
5b6bc0f14712a4ccbf59fba43b7be42a

SHA1
e953c7fcd227832294b7d7ca1a8fda53c5803597

SHA256
2c685d483172df43fcfb3a23ed0decedbe4087d37248a78d4b475033eebe5ccb

SHA512
22dbcd77b0756e6cd719fd50f3d8eee8394e858f154fe345c9339f9686d6af27316521437b6a74a82db965ad2ea6fadc6937b74d5c7a715f32a3009e5e7b0dac

Download Submit
\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
1.1MB

MD5
5c7bcd08091c8bdd42f289967fa4f364

SHA1
4ee9545b874b21cbde906fda3d233e7d4af8b300

SHA256
57fd41c4cf91214e1d1bd6c7ab784072f03b0253ceb493b9976d34e03220fd0c

SHA512
40224376a8810a2ed13eea3179b181d08544e94a7aef83a075c06c0997078c201f6b4bd9502074a9eb14431b1da1649ddac15a98309333f596baaded3b1fa86b

Download Submit
memory/1764-20-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/1764-145-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/1764-8-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/1764-32-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/1764-31-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/1764-12-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/1764-28-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/1764-14-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/1764-27-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/1764-26-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/1764-16-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/1764-18-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/1764-24-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/1764-10-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/1764-22-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/1828-69-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/1828-97-0x0000000000190000-0x0000000000191000-memory.dmp

Filesize
4KB

Download
memory/1928-2-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1928-30-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1928-4-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads