darkcomet | 57fd41c4cf91214e1d1bd6c7ab784072f03b0253ceb493b9976d34e03220fd0c

Analysis

max time kernel
93s
max time network
140s
platform
windows10-2004_x64
resource
win10v2004-20250129-en
resource tags

arch:x64arch:x86image:win10v2004-20250129-enlocale:en-usos:windows10-2004-x64system
submitted
29-01-2025 23:39

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe
Size

1.1MB
MD5

5c7bcd08091c8bdd42f289967fa4f364
SHA1

4ee9545b874b21cbde906fda3d233e7d4af8b300
SHA256

57fd41c4cf91214e1d1bd6c7ab784072f03b0253ceb493b9976d34e03220fd0c
SHA512

40224376a8810a2ed13eea3179b181d08544e94a7aef83a075c06c0997078c201f6b4bd9502074a9eb14431b1da1649ddac15a98309333f596baaded3b1fa86b
SSDEEP

24576:PCh6a/FoVKghO6EtOSCjonOmuZRe1Lhht0Arm5ZVbt:PCh5toVKfA6MSn0ArmTVx

Score

10^/10

darkcomet guest16 defense_evasion discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

sabahhassan.no-ip.biz:1604

Mutex

DC_MUTEX-MHPA3BK

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
MAYkZ7Pow4iS
install
true
offline_keylogger
true
persistence
true
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe

Modifies firewall policy service 3 TTPs 3 IoCs

defense_evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

description	ioc	Process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	msdcsc.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	msdcsc.exe

Windows security bypass 2 TTPs 2 IoCs

defense_evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	msdcsc.exe

Disables RegEdit via registry modification 1 IoCs

defense_evasion

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	msdcsc.exe

Disables Task Manager via registry modification
defense_evasion

Sets file to hidden 1 TTPs 2 IoCs

Modifies file attributes to stop it showing in Explorer etc.

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
588	attrib.exe
1628	attrib.exe

Checks computer location settings 2 TTPs 4 IoCs

Looks up country code configured in the registry, likely geofence.

Query Registry

T1012

System Information Discovery

T1082

description	ioc	Process
Key value queried	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Control Panel\International\Geo\Nation	msdcsc.exe
Key value queried	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Control Panel\International\Geo\Nation	8BALLRULER+1.1+(WIN).EXE
Key value queried	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Control Panel\International\Geo\Nation	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe
Key value queried	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\Control Panel\International\Geo\Nation	8BALLRULER+1.1+(WIN).EXE

Deletes itself 1 IoCs

pid	Process
224	notepad.exe

Executes dropped EXE 7 IoCs

pid	Process
424	8BALLRULER+1.1+(WIN).EXE
4256	Install 8BallRuler.exe
2396	msdcsc.exe
4180	msdcsc.exe
4244	msdcsc.exe
4584	8BALLRULER+1.1+(WIN).EXE
2612	Install 8BallRuler.exe

Windows security modification 2 TTPs 2 IoCs

defense_evasion trojan

Disable or Modify Tools

T1562.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1"	msdcsc.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-70482961-775596374-3727440602-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	msdcsc.exe

Program crash 1 IoCs

pid	pid_target	Process	procid_target
4404	4328	WerFault.exe	104

Suspicious use of SetThreadContext 5 IoCs

description	pid	Process	procid_target
PID 3416 set thread context of 4112	3416	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	85
PID 4112 set thread context of 4836	4112	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	86
PID 2396 set thread context of 4180	2396	msdcsc.exe	99
PID 4180 set thread context of 4244	4180	msdcsc.exe	100
PID 4244 set thread context of 4328	4244	msdcsc.exe	104

Drops file in Program Files directory 1 IoCs

description	ioc	Process
File opened for modification	C:\Program Files (x86)\Internet Explorer\iexplore.exe	iexplore.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 16 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	iexplore.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	notepad.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8BALLRULER+1.1+(WIN).EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	8BALLRULER+1.1+(WIN).EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install 8BallRuler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	Install 8BallRuler.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe

Modifies registry class 1 IoCs

description	ioc	Process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	4836	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe
Token: SeSecurityPrivilege	4836	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe
Token: SeTakeOwnershipPrivilege	4836	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe
Token: SeLoadDriverPrivilege	4836	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe
Token: SeSystemProfilePrivilege	4836	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe
Token: SeSystemtimePrivilege	4836	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe
Token: SeProfSingleProcessPrivilege	4836	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe
Token: SeIncBasePriorityPrivilege	4836	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe
Token: SeCreatePagefilePrivilege	4836	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe
Token: SeBackupPrivilege	4836	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe
Token: SeRestorePrivilege	4836	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe
Token: SeShutdownPrivilege	4836	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe
Token: SeDebugPrivilege	4836	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe
Token: SeSystemEnvironmentPrivilege	4836	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe
Token: SeChangeNotifyPrivilege	4836	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe
Token: SeRemoteShutdownPrivilege	4836	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe
Token: SeUndockPrivilege	4836	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe
Token: SeManageVolumePrivilege	4836	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe
Token: SeImpersonatePrivilege	4836	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe
Token: SeCreateGlobalPrivilege	4836	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe
Token: 33	4836	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe
Token: 34	4836	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe
Token: 35	4836	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe
Token: 36	4836	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe
Token: SeIncreaseQuotaPrivilege	4244	msdcsc.exe
Token: SeSecurityPrivilege	4244	msdcsc.exe
Token: SeTakeOwnershipPrivilege	4244	msdcsc.exe
Token: SeLoadDriverPrivilege	4244	msdcsc.exe
Token: SeSystemProfilePrivilege	4244	msdcsc.exe
Token: SeSystemtimePrivilege	4244	msdcsc.exe
Token: SeProfSingleProcessPrivilege	4244	msdcsc.exe
Token: SeIncBasePriorityPrivilege	4244	msdcsc.exe
Token: SeCreatePagefilePrivilege	4244	msdcsc.exe
Token: SeBackupPrivilege	4244	msdcsc.exe
Token: SeRestorePrivilege	4244	msdcsc.exe
Token: SeShutdownPrivilege	4244	msdcsc.exe
Token: SeDebugPrivilege	4244	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	4244	msdcsc.exe
Token: SeChangeNotifyPrivilege	4244	msdcsc.exe
Token: SeRemoteShutdownPrivilege	4244	msdcsc.exe
Token: SeUndockPrivilege	4244	msdcsc.exe
Token: SeManageVolumePrivilege	4244	msdcsc.exe
Token: SeImpersonatePrivilege	4244	msdcsc.exe
Token: SeCreateGlobalPrivilege	4244	msdcsc.exe
Token: 33	4244	msdcsc.exe
Token: 34	4244	msdcsc.exe
Token: 35	4244	msdcsc.exe
Token: 36	4244	msdcsc.exe

Suspicious use of SetWindowsHookEx 8 IoCs

pid	Process
3416	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe
3416	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe
4112	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe
2396	msdcsc.exe
2396	msdcsc.exe
4180	msdcsc.exe
4328	iexplore.exe
4328	iexplore.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 3416 wrote to memory of 4112	3416	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	85
PID 3416 wrote to memory of 4112	3416	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	85
PID 3416 wrote to memory of 4112	3416	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	85
PID 3416 wrote to memory of 4112	3416	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	85
PID 3416 wrote to memory of 4112	3416	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	85
PID 3416 wrote to memory of 4112	3416	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	85
PID 3416 wrote to memory of 4112	3416	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	85
PID 3416 wrote to memory of 4112	3416	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	85
PID 4112 wrote to memory of 4836	4112	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	86
PID 4112 wrote to memory of 4836	4112	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	86
PID 4112 wrote to memory of 4836	4112	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	86
PID 4112 wrote to memory of 4836	4112	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	86
PID 4112 wrote to memory of 4836	4112	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	86
PID 4112 wrote to memory of 4836	4112	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	86
PID 4112 wrote to memory of 4836	4112	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	86
PID 4112 wrote to memory of 4836	4112	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	86
PID 4112 wrote to memory of 4836	4112	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	86
PID 4112 wrote to memory of 4836	4112	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	86
PID 4112 wrote to memory of 4836	4112	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	86
PID 4112 wrote to memory of 4836	4112	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	86
PID 4112 wrote to memory of 4836	4112	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	86
PID 4112 wrote to memory of 4836	4112	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	86
PID 4836 wrote to memory of 2704	4836	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	87
PID 4836 wrote to memory of 2704	4836	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	87
PID 4836 wrote to memory of 2704	4836	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	87
PID 4836 wrote to memory of 4968	4836	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	89
PID 4836 wrote to memory of 4968	4836	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	89
PID 4836 wrote to memory of 4968	4836	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	89
PID 4836 wrote to memory of 424	4836	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	91
PID 4836 wrote to memory of 424	4836	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	91
PID 4836 wrote to memory of 424	4836	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	91
PID 2704 wrote to memory of 1628	2704	cmd.exe	92
PID 2704 wrote to memory of 1628	2704	cmd.exe	92
PID 2704 wrote to memory of 1628	2704	cmd.exe	92
PID 4968 wrote to memory of 588	4968	cmd.exe	93
PID 4968 wrote to memory of 588	4968	cmd.exe	93
PID 4968 wrote to memory of 588	4968	cmd.exe	93
PID 424 wrote to memory of 4256	424	8BALLRULER+1.1+(WIN).EXE	94
PID 424 wrote to memory of 4256	424	8BALLRULER+1.1+(WIN).EXE	94
PID 424 wrote to memory of 4256	424	8BALLRULER+1.1+(WIN).EXE	94
PID 4836 wrote to memory of 224	4836	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	97
PID 4836 wrote to memory of 224	4836	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	97
PID 4836 wrote to memory of 224	4836	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	97
PID 4836 wrote to memory of 224	4836	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	97
PID 4836 wrote to memory of 224	4836	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	97
PID 4836 wrote to memory of 224	4836	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	97
PID 4836 wrote to memory of 224	4836	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	97
PID 4836 wrote to memory of 224	4836	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	97
PID 4836 wrote to memory of 224	4836	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	97
PID 4836 wrote to memory of 224	4836	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	97
PID 4836 wrote to memory of 224	4836	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	97
PID 4836 wrote to memory of 224	4836	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	97
PID 4836 wrote to memory of 224	4836	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	97
PID 4836 wrote to memory of 224	4836	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	97
PID 4836 wrote to memory of 224	4836	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	97
PID 4836 wrote to memory of 224	4836	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	97
PID 4836 wrote to memory of 224	4836	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	97
PID 4836 wrote to memory of 2396	4836	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	98
PID 4836 wrote to memory of 2396	4836	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	98
PID 4836 wrote to memory of 2396	4836	JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe	98
PID 2396 wrote to memory of 4180	2396	msdcsc.exe	99
PID 2396 wrote to memory of 4180	2396	msdcsc.exe	99
PID 2396 wrote to memory of 4180	2396	msdcsc.exe	99
PID 2396 wrote to memory of 4180	2396	msdcsc.exe	99

Views/modifies file attributes 1 TTPs 2 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
1628	attrib.exe
588	attrib.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe"
1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3416
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe"
  2⤵
  - Suspicious use of SetThreadContext
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:4112
- - C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe
    "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Checks computer location settings
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Modifies registry class
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of WriteProcessMemory
    PID:4836
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe" +s +h
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:2704
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_5c7bcd08091c8bdd42f289967fa4f364.exe" +s +h
        5⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:1628
  - - C:\Windows\SysWOW64\cmd.exe
      "C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
      4⤵
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:4968
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
        5⤵
        Sets file to hidden
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:588
  - - C:\Users\Admin\AppData\Local\Temp\8BALLRULER+1.1+(WIN).EXE
      "C:\Users\Admin\AppData\Local\Temp\8BALLRULER+1.1+(WIN).EXE"
      4⤵
      Checks computer location settings
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of WriteProcessMemory
      PID:424
    - - C:\Users\Admin\AppData\Local\Temp\AIR8712.tmp\Install 8BallRuler.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AIR8712.tmp\Install 8BallRuler.exe"
        5⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4256
  - - C:\Windows\SysWOW64\notepad.exe
      notepad
      4⤵
      Deletes itself
      System Location Discovery: System Language Discovery
      PID:224
  - - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
      "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
      4⤵
      Executes dropped EXE
      Suspicious use of SetThreadContext
      System Location Discovery: System Language Discovery
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2396
    - - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        5⤵
        Executes dropped EXE
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4180
      - C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
        
        "C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
        6⤵
        Modifies firewall policy service
        Windows security bypass
        Disables RegEdit via registry modification
        Checks computer location settings
        Executes dropped EXE
        Windows security modification
        Adds Run key to start application
        Suspicious use of SetThreadContext
        System Location Discovery: System Language Discovery
        Suspicious use of AdjustPrivilegeToken
        
        PID:4244
        
        C:\Users\Admin\AppData\Local\Temp\8BALLRULER+1.1+(WIN).EXE
        
        "C:\Users\Admin\AppData\Local\Temp\8BALLRULER+1.1+(WIN).EXE"
        7⤵
        Checks computer location settings
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:4584
        
        C:\Users\Admin\AppData\Local\Temp\AIR8E36.tmp\Install 8BallRuler.exe
        
        "C:\Users\Admin\AppData\Local\Temp\AIR8E36.tmp\Install 8BallRuler.exe"
        8⤵
        Executes dropped EXE
        System Location Discovery: System Language Discovery
        
        PID:2612
        
        C:\Program Files (x86)\Internet Explorer\iexplore.exe
        
        "C:\Program Files (x86)\Internet Explorer\iexplore.exe"
        7⤵
        Drops file in Program Files directory
        System Location Discovery: System Language Discovery
        Suspicious use of SetWindowsHookEx
        
        PID:4328
        
        C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 4328 -s 696
        8⤵
        Program crash
        
        PID:4404

C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 444 -p 4328 -ip 4328
1⤵
PID:4252

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Impair Defenses

T1562

Disable or Modify System Firewall

T1562.004

Disable or Modify Tools

T1562.001

Modify Registry

T1112

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
471B

MD5
878f8d66bb54f3eb67e664b651d8c43c

SHA1
cc64c26e0857e82d44e841b76a0c7e2e18693e5b

SHA256
93389569d9a9cc286958599ff2721f6dcd2212ce0347130cc581bea02c8e49bd

SHA512
8e1d942672608ffd658015aee869ef45197bfb9d0a949633c552ed3aab06bb52416188db2b4bdabea4b5acb8f47708c32dff87d7d9535b750b968bc82e21cb37

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\B398B80134F72209547439DB21AB308D_A4CF52CCA82D7458083F7280801A3A04

Filesize
400B

MD5
ce62711cdfae2ecfeb4e2c38e8dd57ec

SHA1
0b96fcc5b45249068890b835e3b82746337f86c9

SHA256
072954b3a001f27a1752101cdf9aaa8c2c666d8ed3bbfef7e185fedee6017348

SHA512
ebd82e74f84eb748d4e82a1c58ffd927e49a2be9db55b58325116a5859ff977e28e4d8f2e612b73ee08342e793a46def6a9b87a70a32c4024a825bd97685b2a0

Download Submit
C:\Users\Admin\AppData\Local\Adobe\AIR\logs\Install.log

Filesize
286B

MD5
5ecf41ce3122f8b70908c5dc69db592c

SHA1
447192c3715232e3419204cc793ae7a723fd0ff5

SHA256
b3dfbbc05645b18f1658bc6262385a7b419c953646c5ccf313c296cbbf8d11ad

SHA512
196ea0352f44903872aa9f51adb854f5a1bb0b8116fa994bf8a9a0ff4b933fc22942ba0159910e2314680385aa5ed76efd770dc79384d5656026510f23d8cc09

Download Submit
C:\Users\Admin\AppData\Local\Adobe\AIR\logs\Install.log

Filesize
535B

MD5
6851b95777b8898c3b175177bf35b725

SHA1
524c492da9a782ca6d20d082aead2a767259a87c

SHA256
2f97253d698393c6d11967812b35c0e2f92522b47da31ec5735349260ee4c3ac

SHA512
791c1175cca4bd6a0e9e5ec71168bdf5d9a7115ad3ef75a9a270e108f8c60a6a16f8ee01a8319acffd9d396e63f1e2fe42754b5fb5d626d4d1fc350514474a44

Download Submit
C:\Users\Admin\AppData\Local\Temp\8BALLRULER+1.1+(WIN).EXE

Filesize
363KB

MD5
4b0fe4b36e5ed0f224bf6f2108ba9e9e

SHA1
948b52946060ad29c94b4e2d150e2a77bbee4c5e

SHA256
bc09b11b3963f2ea59fce5bc783e5d2592bb888d037adba030b54bf2165281b8

SHA512
1caf3f179c9de1c7de46cc3e9f8708b0549e1c57b1a63fce6fe11fb20037e58a4d51286b8cc72029a290f67152edb1886f6067c9c17da4af790d49eeae5e56e3

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIR8712.tmp\.launch

Filesize
22B

MD5
030cf67122e16c6fb7a1d9712b2f3e25

SHA1
b2944a75dc99b0859dd19d8b9204de467e2e0d56

SHA256
68d6e0d1a7327895b8069ec31135744461a1586d0a5874d8e5eb882d3dcd0556

SHA512
3246b49861325768f454db2c5ddb76439be4fa16a0a3a5f197905a3bf596c28fca839d0b203c5d40a60f18e489fee3bf86e03323580f3ff4064d74cf67635e0b

Download Submit
C:\Users\Admin\AppData\Local\Temp\AIR8712.tmp\Install 8BallRuler.exe

Filesize
125KB

MD5
5b6bc0f14712a4ccbf59fba43b7be42a

SHA1
e953c7fcd227832294b7d7ca1a8fda53c5803597

SHA256
2c685d483172df43fcfb3a23ed0decedbe4087d37248a78d4b475033eebe5ccb

SHA512
22dbcd77b0756e6cd719fd50f3d8eee8394e858f154fe345c9339f9686d6af27316521437b6a74a82db965ad2ea6fadc6937b74d5c7a715f32a3009e5e7b0dac

Download Submit
C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-70482961-775596374-3727440602-1000\699c4b9cdebca7aaea5193cae8a50098_a2d6647b-15e6-46e1-9ab5-dbc4c38c21bd

Filesize
50B

MD5
5b63d4dd8c04c88c0e30e494ec6a609a

SHA1
884d5a8bdc25fe794dc22ef9518009dcf0069d09

SHA256
4d93c22555b3169e5c13716ca59b8b22892c69b3025aea841afe5259698102fd

SHA512
15ff8551ac6b9de978050569bcdc26f44dfc06a0eaf445ac70fd45453a21bdafa3e4c8b4857d6a1c3226f4102a639682bdfb71d7b255062fb81a51c9126896cb

Download Submit
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

Filesize
1.1MB

MD5
5c7bcd08091c8bdd42f289967fa4f364

SHA1
4ee9545b874b21cbde906fda3d233e7d4af8b300

SHA256
57fd41c4cf91214e1d1bd6c7ab784072f03b0253ceb493b9976d34e03220fd0c

SHA512
40224376a8810a2ed13eea3179b181d08544e94a7aef83a075c06c0997078c201f6b4bd9502074a9eb14431b1da1649ddac15a98309333f596baaded3b1fa86b

Download Submit
memory/224-49-0x0000000000450000-0x0000000000451000-memory.dmp

Filesize
4KB

Download
memory/4112-4-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4112-2-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4112-12-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4180-91-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4180-98-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4244-100-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/4244-101-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/4244-135-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/4328-134-0x0000000000400000-0x000000000040E000-memory.dmp

Filesize
56KB

Download
memory/4836-13-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/4836-105-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/4836-14-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/4836-10-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/4836-8-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download
memory/4836-9-0x0000000000400000-0x000000000050D000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads