darkcomet | 07fd8d644486ee01d90818550d25a791fffa545ff66ad830e1d5ebe89fde9815

Analysis

max time kernel
29s
max time network
17s
platform
windows7_x64
resource
win7-20240729-en
resource tags

arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system
submitted
11/02/2025, 10:36

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe
Size

1.5MB
MD5

e57571c566215a879481ec67a322a5e6
SHA1

742e9e26092fd619d939f31946775a6fbd5f94d7
SHA256

07fd8d644486ee01d90818550d25a791fffa545ff66ad830e1d5ebe89fde9815
SHA512

d00ac43c9e178a570e10c1e54166f55f3afd977e40537843135da80e580cb4cae7ce844bfeef69b3c279c2b0b79e7e710198ff732115efe41b2f47f602b65578
SSDEEP

24576:I3nbWmJVJFwSddIXvfhqbiaxvRxq9r3nbWmJVJFwSddIXvfhqbiaxvRxq9:OamdZdcBYqamdZdcBY

Score

10^/10

darkcomet guest16 defense_evasion discovery persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

lololol.hopto.org:4444

Mutex

DC_MUTEX-4HX0C0M

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
9�obSxkA/xKB
install
true
offline_keylogger
true
persistence
false
reg_key
Microsoft

rc4.plain

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Modifies WinLogon for persistence 2 TTPs 9 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	TEST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	TEST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	TEST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	TEST.EXE
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe

Sets file to hidden 1 TTPs 6 IoCs

Modifies file attributes to stop it showing in Explorer etc.

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2908	attrib.exe
2632	attrib.exe
2440	attrib.exe
2276	attrib.exe
2120	attrib.exe
2224	attrib.exe

Executes dropped EXE 8 IoCs

pid	Process
2804	TEST.EXE
3060	msdcsc.exe
2252	TEST.EXE
2416	msdcsc.exe
1972	TEST.EXE
2492	msdcsc.exe
1520	TEST.EXE
2960	msdcsc.exe

Loads dropped DLL 41 IoCs

pid	Process
2216	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe
2216	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe
2652	WerFault.exe
2652	WerFault.exe
2652	WerFault.exe
2652	WerFault.exe
2652	WerFault.exe
2216	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe
2216	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe
3060	msdcsc.exe
3060	msdcsc.exe
2644	WerFault.exe
2644	WerFault.exe
2644	WerFault.exe
2644	WerFault.exe
2644	WerFault.exe
3060	msdcsc.exe
3060	msdcsc.exe
2416	msdcsc.exe
2416	msdcsc.exe
2200	WerFault.exe
2200	WerFault.exe
2200	WerFault.exe
2200	WerFault.exe
2200	WerFault.exe
2416	msdcsc.exe
2416	msdcsc.exe
2492	msdcsc.exe
2492	msdcsc.exe
2068	WerFault.exe
2068	WerFault.exe
2068	WerFault.exe
2068	WerFault.exe
2068	WerFault.exe
2492	msdcsc.exe
2492	msdcsc.exe
748	WerFault.exe
748	WerFault.exe
748	WerFault.exe
748	WerFault.exe
748	WerFault.exe

Adds Run key to start application 2 TTPs 9 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	TEST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	TEST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	TEST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe"	TEST.EXE
Set value (str)	\REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	msdcsc.exe

Drops file in System32 directory 19 IoCs

description	ioc	Process
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC	attrib.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC	attrib.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	msdcsc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Program crash 5 IoCs

pid	pid_target	Process	procid_target
2652	2804	WerFault.exe	34
2644	2252	WerFault.exe	45
2200	1972	WerFault.exe	50
2068	1520	WerFault.exe	63
748	2960	WerFault.exe	69

System Location Discovery: System Language Discovery 1 TTPs 27 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TEST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TEST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	msdcsc.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TEST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	TEST.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	attrib.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeIncreaseQuotaPrivilege	2216	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe
Token: SeSecurityPrivilege	2216	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe
Token: SeTakeOwnershipPrivilege	2216	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe
Token: SeLoadDriverPrivilege	2216	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe
Token: SeSystemProfilePrivilege	2216	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe
Token: SeSystemtimePrivilege	2216	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe
Token: SeProfSingleProcessPrivilege	2216	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe
Token: SeIncBasePriorityPrivilege	2216	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe
Token: SeCreatePagefilePrivilege	2216	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe
Token: SeBackupPrivilege	2216	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe
Token: SeRestorePrivilege	2216	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe
Token: SeShutdownPrivilege	2216	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe
Token: SeDebugPrivilege	2216	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe
Token: SeSystemEnvironmentPrivilege	2216	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe
Token: SeChangeNotifyPrivilege	2216	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe
Token: SeRemoteShutdownPrivilege	2216	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe
Token: SeUndockPrivilege	2216	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe
Token: SeManageVolumePrivilege	2216	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe
Token: SeImpersonatePrivilege	2216	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe
Token: SeCreateGlobalPrivilege	2216	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe
Token: 33	2216	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe
Token: 34	2216	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe
Token: 35	2216	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe
Token: SeIncreaseQuotaPrivilege	2804	TEST.EXE
Token: SeSecurityPrivilege	2804	TEST.EXE
Token: SeTakeOwnershipPrivilege	2804	TEST.EXE
Token: SeLoadDriverPrivilege	2804	TEST.EXE
Token: SeSystemProfilePrivilege	2804	TEST.EXE
Token: SeSystemtimePrivilege	2804	TEST.EXE
Token: SeProfSingleProcessPrivilege	2804	TEST.EXE
Token: SeIncBasePriorityPrivilege	2804	TEST.EXE
Token: SeCreatePagefilePrivilege	2804	TEST.EXE
Token: SeBackupPrivilege	2804	TEST.EXE
Token: SeRestorePrivilege	2804	TEST.EXE
Token: SeShutdownPrivilege	2804	TEST.EXE
Token: SeDebugPrivilege	2804	TEST.EXE
Token: SeSystemEnvironmentPrivilege	2804	TEST.EXE
Token: SeChangeNotifyPrivilege	2804	TEST.EXE
Token: SeRemoteShutdownPrivilege	2804	TEST.EXE
Token: SeUndockPrivilege	2804	TEST.EXE
Token: SeManageVolumePrivilege	2804	TEST.EXE
Token: SeImpersonatePrivilege	2804	TEST.EXE
Token: SeCreateGlobalPrivilege	2804	TEST.EXE
Token: 33	2804	TEST.EXE
Token: 34	2804	TEST.EXE
Token: 35	2804	TEST.EXE
Token: SeIncreaseQuotaPrivilege	3060	msdcsc.exe
Token: SeSecurityPrivilege	3060	msdcsc.exe
Token: SeTakeOwnershipPrivilege	3060	msdcsc.exe
Token: SeLoadDriverPrivilege	3060	msdcsc.exe
Token: SeSystemProfilePrivilege	3060	msdcsc.exe
Token: SeSystemtimePrivilege	3060	msdcsc.exe
Token: SeProfSingleProcessPrivilege	3060	msdcsc.exe
Token: SeIncBasePriorityPrivilege	3060	msdcsc.exe
Token: SeCreatePagefilePrivilege	3060	msdcsc.exe
Token: SeBackupPrivilege	3060	msdcsc.exe
Token: SeRestorePrivilege	3060	msdcsc.exe
Token: SeShutdownPrivilege	3060	msdcsc.exe
Token: SeDebugPrivilege	3060	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	3060	msdcsc.exe
Token: SeChangeNotifyPrivilege	3060	msdcsc.exe
Token: SeRemoteShutdownPrivilege	3060	msdcsc.exe
Token: SeUndockPrivilege	3060	msdcsc.exe
Token: SeManageVolumePrivilege	3060	msdcsc.exe

Suspicious use of WriteProcessMemory 64 IoCs

description	pid	Process	procid_target
PID 2216 wrote to memory of 2756	2216	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe	30
PID 2216 wrote to memory of 2756	2216	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe	30
PID 2216 wrote to memory of 2756	2216	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe	30
PID 2216 wrote to memory of 2756	2216	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe	30
PID 2216 wrote to memory of 2760	2216	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe	31
PID 2216 wrote to memory of 2760	2216	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe	31
PID 2216 wrote to memory of 2760	2216	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe	31
PID 2216 wrote to memory of 2760	2216	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe	31
PID 2216 wrote to memory of 2804	2216	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe	34
PID 2216 wrote to memory of 2804	2216	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe	34
PID 2216 wrote to memory of 2804	2216	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe	34
PID 2216 wrote to memory of 2804	2216	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe	34
PID 2760 wrote to memory of 2908	2760	cmd.exe	35
PID 2760 wrote to memory of 2908	2760	cmd.exe	35
PID 2760 wrote to memory of 2908	2760	cmd.exe	35
PID 2760 wrote to memory of 2908	2760	cmd.exe	35
PID 2756 wrote to memory of 2632	2756	cmd.exe	36
PID 2756 wrote to memory of 2632	2756	cmd.exe	36
PID 2756 wrote to memory of 2632	2756	cmd.exe	36
PID 2756 wrote to memory of 2632	2756	cmd.exe	36
PID 2804 wrote to memory of 2600	2804	TEST.EXE	37
PID 2804 wrote to memory of 2600	2804	TEST.EXE	37
PID 2804 wrote to memory of 2600	2804	TEST.EXE	37
PID 2804 wrote to memory of 2600	2804	TEST.EXE	37
PID 2804 wrote to memory of 2652	2804	TEST.EXE	39
PID 2804 wrote to memory of 2652	2804	TEST.EXE	39
PID 2804 wrote to memory of 2652	2804	TEST.EXE	39
PID 2804 wrote to memory of 2652	2804	TEST.EXE	39
PID 2216 wrote to memory of 3060	2216	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe	40
PID 2216 wrote to memory of 3060	2216	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe	40
PID 2216 wrote to memory of 3060	2216	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe	40
PID 2216 wrote to memory of 3060	2216	JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe	40
PID 3060 wrote to memory of 1432	3060	msdcsc.exe	41
PID 3060 wrote to memory of 1432	3060	msdcsc.exe	41
PID 3060 wrote to memory of 1432	3060	msdcsc.exe	41
PID 3060 wrote to memory of 1432	3060	msdcsc.exe	41
PID 3060 wrote to memory of 2148	3060	msdcsc.exe	43
PID 3060 wrote to memory of 2148	3060	msdcsc.exe	43
PID 3060 wrote to memory of 2148	3060	msdcsc.exe	43
PID 3060 wrote to memory of 2148	3060	msdcsc.exe	43
PID 3060 wrote to memory of 2252	3060	msdcsc.exe	45
PID 3060 wrote to memory of 2252	3060	msdcsc.exe	45
PID 3060 wrote to memory of 2252	3060	msdcsc.exe	45
PID 3060 wrote to memory of 2252	3060	msdcsc.exe	45
PID 2252 wrote to memory of 2644	2252	TEST.EXE	46
PID 2252 wrote to memory of 2644	2252	TEST.EXE	46
PID 2252 wrote to memory of 2644	2252	TEST.EXE	46
PID 2252 wrote to memory of 2644	2252	TEST.EXE	46
PID 3060 wrote to memory of 2416	3060	msdcsc.exe	47
PID 3060 wrote to memory of 2416	3060	msdcsc.exe	47
PID 3060 wrote to memory of 2416	3060	msdcsc.exe	47
PID 3060 wrote to memory of 2416	3060	msdcsc.exe	47
PID 2416 wrote to memory of 2796	2416	msdcsc.exe	48
PID 2416 wrote to memory of 2796	2416	msdcsc.exe	48
PID 2416 wrote to memory of 2796	2416	msdcsc.exe	48
PID 2416 wrote to memory of 2796	2416	msdcsc.exe	48
PID 2416 wrote to memory of 2560	2416	msdcsc.exe	49
PID 2416 wrote to memory of 2560	2416	msdcsc.exe	49
PID 2416 wrote to memory of 2560	2416	msdcsc.exe	49
PID 2416 wrote to memory of 2560	2416	msdcsc.exe	49
PID 2416 wrote to memory of 1972	2416	msdcsc.exe	50
PID 2416 wrote to memory of 1972	2416	msdcsc.exe	50
PID 2416 wrote to memory of 1972	2416	msdcsc.exe	50
PID 2416 wrote to memory of 1972	2416	msdcsc.exe	50

Views/modifies file attributes 1 TTPs 6 IoCs

defense_evasion

Hidden Files and Directories

T1564.001

pid	Process
2632	attrib.exe
2440	attrib.exe
2276	attrib.exe
2120	attrib.exe
2224	attrib.exe
2908	attrib.exe

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_e57571c566215a879481ec67a322a5e6.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2216
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2756
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
    3⤵
    - Sets file to hidden
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2632
- C:\Windows\SysWOW64\cmd.exe
  cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
  2⤵
  - System Location Discovery: System Language Discovery
  - Suspicious use of WriteProcessMemory
  PID:2760
- - C:\Windows\SysWOW64\attrib.exe
    attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
    3⤵
    - Sets file to hidden
    - System Location Discovery: System Language Discovery
    - Views/modifies file attributes
    PID:2908
- C:\Users\Admin\AppData\Local\Temp\TEST.EXE
  "C:\Users\Admin\AppData\Local\Temp\TEST.EXE"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Adds Run key to start application
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:2804
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2600
- - C:\Windows\SysWOW64\WerFault.exe
    C:\Windows\SysWOW64\WerFault.exe -u -p 2804 -s 568
    3⤵
    - Loads dropped DLL
    - Program crash
    PID:2652
- C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
  "C:\Windows\system32\MSDCSC\msdcsc.exe"
  2⤵
  - Modifies WinLogon for persistence
  - Executes dropped EXE
  - Loads dropped DLL
  - Adds Run key to start application
  - Drops file in System32 directory
  - System Location Discovery: System Language Discovery
  - Suspicious use of AdjustPrivilegeToken
  - Suspicious use of WriteProcessMemory
  PID:3060
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:1432
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    PID:2148
- - C:\Users\Admin\AppData\Local\Temp\TEST.EXE
    "C:\Users\Admin\AppData\Local\Temp\TEST.EXE"
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Adds Run key to start application
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2252
  - - C:\Windows\SysWOW64\WerFault.exe
      C:\Windows\SysWOW64\WerFault.exe -u -p 2252 -s 500
      4⤵
      Loads dropped DLL
      Program crash
      PID:2644
- - C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
    "C:\Windows\system32\MSDCSC\msdcsc.exe"
    3⤵
    - Modifies WinLogon for persistence
    - Executes dropped EXE
    - Loads dropped DLL
    - Adds Run key to start application
    - Drops file in System32 directory
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:2416
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2796
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
        5⤵
        Sets file to hidden
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:2440
  - - C:\Windows\SysWOW64\cmd.exe
      cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
      4⤵
      System Location Discovery: System Language Discovery
      PID:2560
    - - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
        5⤵
        Sets file to hidden
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:2276
  - - C:\Users\Admin\AppData\Local\Temp\TEST.EXE
      "C:\Users\Admin\AppData\Local\Temp\TEST.EXE"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:1972
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2208
    - - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1972 -s 568
        5⤵
        Loads dropped DLL
        Program crash
        
        PID:2200
  - - C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
      "C:\Windows\system32\MSDCSC\msdcsc.exe"
      4⤵
      Modifies WinLogon for persistence
      Executes dropped EXE
      Loads dropped DLL
      Adds Run key to start application
      Drops file in System32 directory
      System Location Discovery: System Language Discovery
      PID:2492
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:1812
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
        6⤵
        Sets file to hidden
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:2224
    - - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        5⤵
        System Location Discovery: System Language Discovery
        
        PID:2964
      - C:\Windows\SysWOW64\attrib.exe
        
        attrib "C:\Windows\SysWOW64\MSDCSC" +s +h
        6⤵
        Sets file to hidden
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        Views/modifies file attributes
        
        PID:2120
    - - C:\Users\Admin\AppData\Local\Temp\TEST.EXE
        
        "C:\Users\Admin\AppData\Local\Temp\TEST.EXE"
        5⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        System Location Discovery: System Language Discovery
        
        PID:1520
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1716
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 1520 -s 560
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:2068
    - - C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
        
        "C:\Windows\system32\MSDCSC\msdcsc.exe"
        5⤵
        Modifies WinLogon for persistence
        Executes dropped EXE
        Adds Run key to start application
        Drops file in System32 directory
        System Location Discovery: System Language Discovery
        
        PID:2960
      - C:\Windows\SysWOW64\cmd.exe
        
        cmd /c ""C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat" "
        6⤵
        System Location Discovery: System Language Discovery
        
        PID:1500
      - C:\Windows\SysWOW64\WerFault.exe
        
        C:\Windows\SysWOW64\WerFault.exe -u -p 2960 -s 560
        6⤵
        Loads dropped DLL
        Program crash
        
        PID:748

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Defense Evasion

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Local\Temp\TEST.EXE

Filesize
754KB

MD5
7c8451454c078352d19e7f3f01f2d340

SHA1
056769cebab6f2df146e5095807024f18171eb63

SHA256
dbb7441b265974145f28155e89ba8038c641519ecac7c73f665b13fb7dcb74a3

SHA512
7eadee3041a3c37b76f0ea7887daa754f981371bb04f58a3bdcccbbb8f57869b0d471da93058332ad289cb9cec23b644051dad69aad527af954463d7bfe111ba

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat

Filesize
101B

MD5
7e82d6841fe4a6246e2d1defb9973b40

SHA1
e74efdad464532828451949d0b2eba7f6c2dfd72

SHA256
f842e7b6636d1cdb7d61bda968331085baa9d866c5c39e8cdc9c19931397799c

SHA512
7d29bf10f9c22310bcc45cece8587edf6a529c6dbbaa24ab4646ba30b3e79c996a961b548ecda2324c71dac0a98ba255682e30c023f5ae7abc56b1b3a0e7ff00

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat

Filesize
50B

MD5
b774ae3fb1da087e1f83b4f7b2060e5a

SHA1
97eb9be49ac3af9c851c9e1e84e32bfd53e325a8

SHA256
adaf4a84b41e410b02e261cfd0fe7739d98647eab73c3badd32ac6e39f26351b

SHA512
f75d0f95f7306d26a12b414bfe37b97fbd37546cb3c6e403def7077329ddffb4b45d5c5f0ba0e7bb6d72851d2d691b0a85267beead42f7cbf2e8c3d45a3b4701

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat

Filesize
59B

MD5
862cce3bb332dc4cf9fd6e9113de973b

SHA1
0d05e0eda29c8dc9b4da76af58d9611da135645f

SHA256
2a598ebaf355a0c08709a19b66f5a5f0799fb308d0f5c0847c4012ec36fe4533

SHA512
230b5da321f6bf68114447fbc63e65f2b78bb0d646f1c0fac4dbd8b7e01a69b84dadefefe510fc555b27ed89e18bb39b909fb3702290e636dd0b535e5076c7e0

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat

Filesize
54B

MD5
b960305e23cbfd65106f326e54e2edfd

SHA1
522c5e95a4306797b3e71bbe62158087f779ee7a

SHA256
c31911cf00619f811195612355d7c762cd7e65d7d06756f62815b029cda65855

SHA512
294181df282b6901de3e2743a6986637303f7bc63555ad171c07f6457d2895907aeae800eb7f948ac6380ba87e76423eb150792d05754aa6152c9d9921edc024

Download Submit
C:\Users\Admin\AppData\Local\Temp\tmpcmd.bat

Filesize
43B

MD5
54552c311a8c2081eefdad310b19b5db

SHA1
718edabb22a5b5481815682eb1b3cd17c316c1dc

SHA256
233765af9f5b64cdcae82b709e94f3d26d9486c90e3074a79ebeb915e386bfea

SHA512
dc004dfaacba0417a6e631099c46ca99a832000286baabfa035a176e5b99fdd78f61c97a37d7d1b8e29711b657bc5df4bc601a28c431c38b2395347858cd4f02

Download Submit
\Windows\SysWOW64\MSDCSC\msdcsc.exe

Filesize
1.5MB

MD5
e57571c566215a879481ec67a322a5e6

SHA1
742e9e26092fd619d939f31946775a6fbd5f94d7

SHA256
07fd8d644486ee01d90818550d25a791fffa545ff66ad830e1d5ebe89fde9815

SHA512
d00ac43c9e178a570e10c1e54166f55f3afd977e40537843135da80e580cb4cae7ce844bfeef69b3c279c2b0b79e7e710198ff732115efe41b2f47f602b65578

Download Submit
memory/1520-186-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/1520-185-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/1972-189-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/1972-190-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/1972-184-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2216-0-0x00000000003D0000-0x00000000003D1000-memory.dmp

Filesize
4KB

Download
memory/2216-56-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2252-188-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2252-182-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2252-191-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2416-126-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2492-165-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/2804-30-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/2804-181-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2804-192-0x0000000000400000-0x00000000004CB000-memory.dmp

Filesize
812KB

Download
memory/2960-183-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download
memory/3060-87-0x0000000000400000-0x0000000000587000-memory.dmp

Filesize
1.5MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads