darkcomet | 034dd5f6be4f9da37e326472542f527b921443939b1b41b2f4ac1371f475c26a

Analysis

max time kernel
150s
max time network
144s
platform
windows7_x64
resource
win7-20240903-en
resource tags

arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system
submitted
19/02/2025, 02:11

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

JaffaCakes118_02e2120ae73f45f30fe140d7b6e90d98.exe
Size

760KB
MD5

02e2120ae73f45f30fe140d7b6e90d98
SHA1

3220919465989236c7a886e4816236c738b3abc5
SHA256

034dd5f6be4f9da37e326472542f527b921443939b1b41b2f4ac1371f475c26a
SHA512

9e6bf2c2c4ccd8d7edc5b4ccda5fe461306a1826be379c2e8845b6b95ab5770ff0488559dbcda54e1ffdb4039104b58a2eef42b10e73eebb8b874ea94844e21e
SSDEEP

12288:KEBZ4Qy6YX5PgkSndWqbG4gbuoBFfBgmlS8J8jYtzkxaplmdRl2Rrk:By3X54knqhILXfCmlSuqYtzk0ela

Score

10^/10

darkcomet hq-bot discovery persistence rat trojan upx

Malware Config

Extracted

Family

darkcomet

Botnet

HQ-Bot

lloydharriton.no-ip.info:3399

Mutex

DC_MUTEX-7FFHJX4

Attributes

gencode
5RtJMb9vLS9x
install
false
offline_keylogger
true
password
123456789z
persistence
false

rc4.plain

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet
Darkcomet family
darkcomet

Executes dropped EXE 3 IoCs

pid	Process
2584	JaffaCakes118_02e2120ae73f45f30fe140d7b6e90d98.exe
3020	news.exe
2892	news.exe

Loads dropped DLL 6 IoCs

pid	Process
2728	JaffaCakes118_02e2120ae73f45f30fe140d7b6e90d98.exe
2584	JaffaCakes118_02e2120ae73f45f30fe140d7b6e90d98.exe
2584	JaffaCakes118_02e2120ae73f45f30fe140d7b6e90d98.exe
2584	JaffaCakes118_02e2120ae73f45f30fe140d7b6e90d98.exe
2584	JaffaCakes118_02e2120ae73f45f30fe140d7b6e90d98.exe
2584	JaffaCakes118_02e2120ae73f45f30fe140d7b6e90d98.exe

Adds Run key to start application 2 TTPs 1 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

description	ioc	Process
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Windows\CurrentVersion\Run\nono = "C:\\Users\\Admin\\AppData\\Roaming\\nono\\news.exe"	reg.exe

Suspicious use of SetThreadContext 3 IoCs

description	pid	Process	procid_target
PID 2728 set thread context of 2584	2728	JaffaCakes118_02e2120ae73f45f30fe140d7b6e90d98.exe	30
PID 3020 set thread context of 2892	3020	news.exe	35
PID 3020 set thread context of 2032	3020	news.exe	36

UPX packed file 11 IoCs

Detects executables packed with UPX/modified UPX open source packer.

upx

resource	yara_rule
behavioral1/memory/2584-43-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2584-39-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2584-37-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2584-46-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2584-47-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2584-48-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2584-49-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2892-159-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2584-158-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2584-162-0x0000000000400000-0x000000000040B000-memory.dmp	upx
behavioral1/memory/2892-591-0x0000000000400000-0x000000000040B000-memory.dmp	upx

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

System Location Discovery: System Language Discovery 1 TTPs 7 IoCs

Attempt gather information about the system language of a victim in order to infer the geographical location of that host.

discovery

System Language Discovery

T1614.001

description	ioc	Process
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	news.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	news.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	IEXPLORE.EXE
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_02e2120ae73f45f30fe140d7b6e90d98.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	JaffaCakes118_02e2120ae73f45f30fe140d7b6e90d98.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	cmd.exe
Key opened	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language	reg.exe

Modifies Internet Explorer settings 1 TTPs 28 IoCs

adware spyware

Modify Registry

T1112

description	ioc	Process
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes\DownloadRetries = "3"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DontShowMeThisDialogAgain	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Zoom	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar\WebBrowser	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive\{CD20A7A1-EEA3-11EF-B17F-465533733A50} = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IntelliForms	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive	iexplore.exe
Set value (data)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\BrowserEmulation\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\PageSetup	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main	IEXPLORE.EXE
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "1"	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\GPU	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\InternetRegistry	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Toolbar	iexplore.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Main\FullScreen = "no"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery	iexplore.exe
Set value (int)	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "446119143"	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\IETld\LowMic	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\LowRegistry\DOMStorage	iexplore.exe
Key created	\REGISTRY\USER\S-1-5-21-2872745919-2748461613-2989606286-1000\Software\Microsoft\Internet Explorer\SearchScopes	iexplore.exe

Suspicious use of AdjustPrivilegeToken 64 IoCs

description	pid	Process
Token: SeShutdownPrivilege	2728	JaffaCakes118_02e2120ae73f45f30fe140d7b6e90d98.exe
Token: SeShutdownPrivilege	2728	JaffaCakes118_02e2120ae73f45f30fe140d7b6e90d98.exe
Token: SeShutdownPrivilege	2728	JaffaCakes118_02e2120ae73f45f30fe140d7b6e90d98.exe
Token: SeShutdownPrivilege	2728	JaffaCakes118_02e2120ae73f45f30fe140d7b6e90d98.exe
Token: SeShutdownPrivilege	2728	JaffaCakes118_02e2120ae73f45f30fe140d7b6e90d98.exe
Token: SeShutdownPrivilege	2728	JaffaCakes118_02e2120ae73f45f30fe140d7b6e90d98.exe
Token: SeShutdownPrivilege	2728	JaffaCakes118_02e2120ae73f45f30fe140d7b6e90d98.exe
Token: SeShutdownPrivilege	3020	news.exe
Token: SeShutdownPrivilege	3020	news.exe
Token: SeShutdownPrivilege	3020	news.exe
Token: SeShutdownPrivilege	3020	news.exe
Token: SeShutdownPrivilege	3020	news.exe
Token: SeShutdownPrivilege	3020	news.exe
Token: SeShutdownPrivilege	3020	news.exe
Token: SeShutdownPrivilege	3020	news.exe
Token: SeShutdownPrivilege	3020	news.exe
Token: SeDebugPrivilege	2892	news.exe
Token: SeDebugPrivilege	2892	news.exe
Token: SeDebugPrivilege	2892	news.exe
Token: SeDebugPrivilege	2892	news.exe
Token: SeDebugPrivilege	2892	news.exe
Token: SeDebugPrivilege	2892	news.exe
Token: SeDebugPrivilege	2892	news.exe
Token: SeDebugPrivilege	2892	news.exe
Token: SeDebugPrivilege	2892	news.exe
Token: SeDebugPrivilege	2892	news.exe
Token: SeDebugPrivilege	2892	news.exe
Token: SeDebugPrivilege	2892	news.exe
Token: SeDebugPrivilege	2892	news.exe
Token: SeDebugPrivilege	2892	news.exe
Token: SeDebugPrivilege	2892	news.exe
Token: SeDebugPrivilege	2892	news.exe
Token: SeDebugPrivilege	2892	news.exe
Token: SeDebugPrivilege	2892	news.exe
Token: SeDebugPrivilege	2892	news.exe
Token: SeDebugPrivilege	2892	news.exe
Token: SeDebugPrivilege	2892	news.exe
Token: SeDebugPrivilege	2892	news.exe
Token: SeDebugPrivilege	2892	news.exe
Token: SeDebugPrivilege	2892	news.exe
Token: SeDebugPrivilege	2892	news.exe
Token: SeDebugPrivilege	2892	news.exe
Token: SeDebugPrivilege	2892	news.exe
Token: SeDebugPrivilege	2892	news.exe
Token: SeDebugPrivilege	2892	news.exe
Token: SeDebugPrivilege	2892	news.exe
Token: SeDebugPrivilege	2892	news.exe
Token: SeDebugPrivilege	2892	news.exe
Token: SeDebugPrivilege	2892	news.exe
Token: SeDebugPrivilege	2892	news.exe
Token: SeDebugPrivilege	2892	news.exe
Token: SeDebugPrivilege	2892	news.exe
Token: SeDebugPrivilege	2892	news.exe
Token: SeDebugPrivilege	2892	news.exe
Token: SeDebugPrivilege	2892	news.exe
Token: SeDebugPrivilege	2892	news.exe
Token: SeDebugPrivilege	2892	news.exe
Token: SeDebugPrivilege	2892	news.exe
Token: SeDebugPrivilege	2892	news.exe
Token: SeDebugPrivilege	2892	news.exe
Token: SeDebugPrivilege	2892	news.exe
Token: SeDebugPrivilege	2892	news.exe
Token: SeDebugPrivilege	2892	news.exe
Token: SeDebugPrivilege	2892	news.exe

Suspicious use of FindShellTrayWindow 1 IoCs

pid	Process
2032	iexplore.exe

Suspicious use of SetWindowsHookEx 10 IoCs

pid	Process
2728	JaffaCakes118_02e2120ae73f45f30fe140d7b6e90d98.exe
2584	JaffaCakes118_02e2120ae73f45f30fe140d7b6e90d98.exe
3020	news.exe
2892	news.exe
2032	iexplore.exe
2032	iexplore.exe
2228	IEXPLORE.EXE
2228	IEXPLORE.EXE
2228	IEXPLORE.EXE
2228	IEXPLORE.EXE

Suspicious use of WriteProcessMemory 44 IoCs

description	pid	Process	procid_target
PID 2728 wrote to memory of 2584	2728	JaffaCakes118_02e2120ae73f45f30fe140d7b6e90d98.exe	30
PID 2728 wrote to memory of 2584	2728	JaffaCakes118_02e2120ae73f45f30fe140d7b6e90d98.exe	30
PID 2728 wrote to memory of 2584	2728	JaffaCakes118_02e2120ae73f45f30fe140d7b6e90d98.exe	30
PID 2728 wrote to memory of 2584	2728	JaffaCakes118_02e2120ae73f45f30fe140d7b6e90d98.exe	30
PID 2728 wrote to memory of 2584	2728	JaffaCakes118_02e2120ae73f45f30fe140d7b6e90d98.exe	30
PID 2728 wrote to memory of 2584	2728	JaffaCakes118_02e2120ae73f45f30fe140d7b6e90d98.exe	30
PID 2728 wrote to memory of 2584	2728	JaffaCakes118_02e2120ae73f45f30fe140d7b6e90d98.exe	30
PID 2728 wrote to memory of 2584	2728	JaffaCakes118_02e2120ae73f45f30fe140d7b6e90d98.exe	30
PID 2584 wrote to memory of 792	2584	JaffaCakes118_02e2120ae73f45f30fe140d7b6e90d98.exe	31
PID 2584 wrote to memory of 792	2584	JaffaCakes118_02e2120ae73f45f30fe140d7b6e90d98.exe	31
PID 2584 wrote to memory of 792	2584	JaffaCakes118_02e2120ae73f45f30fe140d7b6e90d98.exe	31
PID 2584 wrote to memory of 792	2584	JaffaCakes118_02e2120ae73f45f30fe140d7b6e90d98.exe	31
PID 792 wrote to memory of 624	792	cmd.exe	33
PID 792 wrote to memory of 624	792	cmd.exe	33
PID 792 wrote to memory of 624	792	cmd.exe	33
PID 792 wrote to memory of 624	792	cmd.exe	33
PID 2584 wrote to memory of 3020	2584	JaffaCakes118_02e2120ae73f45f30fe140d7b6e90d98.exe	34
PID 2584 wrote to memory of 3020	2584	JaffaCakes118_02e2120ae73f45f30fe140d7b6e90d98.exe	34
PID 2584 wrote to memory of 3020	2584	JaffaCakes118_02e2120ae73f45f30fe140d7b6e90d98.exe	34
PID 2584 wrote to memory of 3020	2584	JaffaCakes118_02e2120ae73f45f30fe140d7b6e90d98.exe	34
PID 3020 wrote to memory of 2892	3020	news.exe	35
PID 3020 wrote to memory of 2892	3020	news.exe	35
PID 3020 wrote to memory of 2892	3020	news.exe	35
PID 3020 wrote to memory of 2892	3020	news.exe	35
PID 3020 wrote to memory of 2892	3020	news.exe	35
PID 3020 wrote to memory of 2892	3020	news.exe	35
PID 3020 wrote to memory of 2892	3020	news.exe	35
PID 3020 wrote to memory of 2892	3020	news.exe	35
PID 3020 wrote to memory of 2032	3020	news.exe	36
PID 3020 wrote to memory of 2032	3020	news.exe	36
PID 3020 wrote to memory of 2032	3020	news.exe	36
PID 3020 wrote to memory of 2032	3020	news.exe	36
PID 3020 wrote to memory of 2032	3020	news.exe	36
PID 3020 wrote to memory of 2032	3020	news.exe	36
PID 3020 wrote to memory of 2032	3020	news.exe	36
PID 3020 wrote to memory of 2032	3020	news.exe	36
PID 3020 wrote to memory of 2032	3020	news.exe	36
PID 3020 wrote to memory of 2032	3020	news.exe	36
PID 3020 wrote to memory of 2032	3020	news.exe	36
PID 3020 wrote to memory of 2032	3020	news.exe	36
PID 2032 wrote to memory of 2228	2032	iexplore.exe	37
PID 2032 wrote to memory of 2228	2032	iexplore.exe	37
PID 2032 wrote to memory of 2228	2032	iexplore.exe	37
PID 2032 wrote to memory of 2228	2032	iexplore.exe	37

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_02e2120ae73f45f30fe140d7b6e90d98.exe
"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_02e2120ae73f45f30fe140d7b6e90d98.exe"
1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2728
- C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_02e2120ae73f45f30fe140d7b6e90d98.exe
  "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_02e2120ae73f45f30fe140d7b6e90d98.exe"
  2⤵
  - Executes dropped EXE
  - Loads dropped DLL
  - System Location Discovery: System Language Discovery
  - Suspicious use of SetWindowsHookEx
  - Suspicious use of WriteProcessMemory
  PID:2584
- - C:\Windows\SysWOW64\cmd.exe
    cmd /c ""C:\Users\Admin\AppData\Local\Temp\DTURA.bat" "
    3⤵
    - System Location Discovery: System Language Discovery
    - Suspicious use of WriteProcessMemory
    PID:792
  - - C:\Windows\SysWOW64\reg.exe
      REG ADD "HKCU\Software\Microsoft\Windows\CurrentVersion\Run" /v "nono" /t REG_SZ /d "C:\Users\Admin\AppData\Roaming\nono\news.exe" /f
      4⤵
      Adds Run key to start application
      System Location Discovery: System Language Discovery
      PID:624
- - C:\Users\Admin\AppData\Roaming\nono\news.exe
    "C:\Users\Admin\AppData\Roaming\nono\news.exe"
    3⤵
    - Executes dropped EXE
    - Suspicious use of SetThreadContext
    - System Location Discovery: System Language Discovery
    - Suspicious use of AdjustPrivilegeToken
    - Suspicious use of SetWindowsHookEx
    - Suspicious use of WriteProcessMemory
    PID:3020
  - - C:\Users\Admin\AppData\Roaming\nono\news.exe
      "C:\Users\Admin\AppData\Roaming\nono\news.exe"
      4⤵
      Executes dropped EXE
      System Location Discovery: System Language Discovery
      Suspicious use of AdjustPrivilegeToken
      Suspicious use of SetWindowsHookEx
      PID:2892
  - - C:\Program Files\Internet Explorer\iexplore.exe
      "C:\Program Files\Internet Explorer\iexplore.exe"
      4⤵
      Modifies Internet Explorer settings
      Suspicious use of FindShellTrayWindow
      Suspicious use of SetWindowsHookEx
      Suspicious use of WriteProcessMemory
      PID:2032
    - - C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE
        
        "C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:2032 CREDAT:275457 /prefetch:2
        5⤵
        System Location Discovery: System Language Discovery
        Modifies Internet Explorer settings
        Suspicious use of SetWindowsHookEx
        
        PID:2228

Network

MITRE ATT&CK Enterprise v15

Reconnaissance

Resource Development

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Defense Evasion

Modify Registry

T1112

Credential Access

Discovery

System Information Discovery

T1082

System Location Discovery

T1614

System Language Discovery

T1614.001

Lateral Movement

Collection

Command and Control

Exfiltration

Impact

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
eadb1252a614eed5a34fd47ba9f919e9

SHA1
e9707b5b2b14fc26ebb05b9c53817dacf893c4d4

SHA256
4eb69e0bf74620468b8b4f7723f1d08eb4a97515373e6e2b22f8862233f562d4

SHA512
bcc92d052aa004ace7605080772c4baa1bc104933bb9f3b15640e5b52efa1d30afa8b60e2b272d35e7d698daa59e9632149a50da90c4bb80101fb8d429ea6ae0

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c700b3c8aa1daefb0e40060ffa3bc101

SHA1
afbba856cc37db629df9e1d5d0b82cc4bf71023f

SHA256
bfe15658996f08062bc02d74b624c8f2ac4dbbc81bd2774c6a7bca0ecef0cf13

SHA512
32fe26e3cb98454dd1bacd7996aae21eb93c1e1a6dd38aa834da2611a05377baa22258f2932c510eaf2412d1cdb8e9b59d16764f728669a99886a8eb7aa11562

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7f5beed8d050f932b4cf9a5bf85462a2

SHA1
630fac6ac40fe1ceb9932ae50f4801f6355b54df

SHA256
9d17d187b7b8c564a9f762e807ee76a795914898c97a3bf7e649a86cfb6a5dff

SHA512
db60051c75668026fd393574b07e9e96420372d56566a413f4755e95ac5640f6b12c95804cf6a489f6e2244169f2170eb4933cc1a8b61b71c1f39b1119d40215

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
0893eb622d56c39adf8f75dda5cec66f

SHA1
27767bd81f63bc6107bcdce8c0ad1bb3682060e0

SHA256
9a72971e5fbc0508fd92c9a55c55be3b7118dcc69164e2051323986e12e158dd

SHA512
53df211b78791d04b8531cf93e52f45037d2d23210eb5bcd3aefcf2384ee97fa5d292a8391e0cae9553138488a64e5b4a8a1aa049889ffb55b261acab0b7a052

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
3cee47184894a5ad36dbe248fe8ca7d3

SHA1
da1429ee1e8eafabfef2d9e7c041cd2a7736cac4

SHA256
446af5fb61918470ca439436d9bd12250b351540ddb0a39e7e700cb1429717ab

SHA512
e559c8bd88757781459a929594155750c13e0ff4bf48425229d93069be30347133ab7c4ebc27aee0ad8b48bad45e85a6edfc5876efe9c6a1d5c14bdb5e34bee9

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
e477da1db1e224eea9ae6bacc4330bf1

SHA1
e9accb5cbc6ff83b95ae9c11f7dc7fd4fb9885d6

SHA256
2d952b0b8d7b84631c0f9903b43e2a5597fdd9ceb93fef738c34d2419bbdd1ab

SHA512
6e91f01749d2445eb48fe1a71349befaa680b31322622ebe8ac4037da0ffae3af622b5f129e7195878621732158ea1f962446caeac2ce362a475c1ca425bbf64

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
28d763c9df224da038e9de95676d2ae8

SHA1
098568469b657b97c59c72e57d6cccbd7b75d35c

SHA256
1a9ad8cae4a27766655956aa4704a466cd6d0286f16663c848174bba631af0c1

SHA512
8fc7afb542750561ac3aca23c3f2d857b94db5ae4737c547ba0388b1ac937c96e8cef2e276a437d4fe7f376c0af091988a8fcd8c009a42277d6985777c8e638b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
6553e29b2d51a92190e80145c46e3f27

SHA1
ec57870532f8843c2759d2f8d490ce5a343b186d

SHA256
ac3dca059d5c81430fc852cd1a730219c20cb6d2f9cdac88273dc14a750a32e0

SHA512
5006c120acb12b0bd16b980ac655a548c9f6fe6c5436dfc56f2d0773c1b0aad386b6f34792c4a1161f12e2657813dd19330dbc2f02ce21933d66b8b69469e585

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
5b716f753059f8bb6a765a0650852da1

SHA1
5d06ce12ab8f409aa8dd90efd092646175cb5041

SHA256
9572aa535a527fd7f9c3b52e1f17fd1799000611f6454c4ace93fc14d54d1261

SHA512
3016ed999668cc1ba825661b94e2d8d1437e2a90eabdca04dce21684ef4ad872435f40710d7ada34d7a33bfda62a658cd04a7144a852735c206c20e01426fba1

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
129ae90a91becb776df4a76b0a077a5f

SHA1
a08d48224d3d3891d60002b7579be8a9425a494f

SHA256
0566f582ae818da425eb33305caef989cb4ebe7148556544584c4e60b2618d07

SHA512
66c7cc5fb158e0b28e683e2f6c4972968644e88f55c235e4d2523d5a6ce379840ae1c3f2ecd1184269e8eae3cece75b036d86c9a125934db9cc7391afd204825

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
435f7592870c694b2120a03fefc1662d

SHA1
56937cc08bc91bab51c834af0d558e2a8d44b429

SHA256
4493678b808da6015366ee08508ebe97bb715d8c70bb400f153717b4d831b809

SHA512
0d9e87ecba7a74bc58c76c5b1f0df3d8a09d33c19fb7f2be005ee0fb3351242c9f05a3ebc52815e7f195b8d2ff24792a03a3035cd96906b2352dfc91a1aa2e1e

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9e6b7e41d26b706b5dd58afab9b8e09b

SHA1
7f4ef6639298db229b6c643f4e7c76761f84d0c0

SHA256
32428f6904941de8eaf71a9468315a960f29116b1d61a08060804bcfaf5b26b1

SHA512
d972542a06dfc940ca43c117ed05218ada526fba95b407aba25aadf0ac98a92bf7da24b83273744372571acc02d285f52b7b0a9a5859cbde72bdbcbfe7858e7c

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
9603e89d6cf2ec0c40cf08ff3f3eff9c

SHA1
9667a53c872078dec28a3de5807a5d84c859cf84

SHA256
489ff734b1ca2e68d5db7c0e81326e7c5e1ff36da0310df7b855fe99574646a0

SHA512
b1afdc2f0559fc65641805f49b850a35ea63b0cd879c6561199a2f64b65898982f33159e5a78d678208ff8c5053540bdae499e0607b4cfa523d736b52c86c458

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c32a0a5b6456a66358ca15f7f174b070

SHA1
f8246dafe27000189e1e54900729dc0841b63b08

SHA256
11c274760e1fe154b8cc5a364387aeec7f155ef039915cd8798c17b8ca1291d9

SHA512
ded1689651613e16d3fa373e04bb0de4ef70d4ba6212efa0e1df4fdadf152d0df372bacbdccba7d01f6d6d079304f3a288ecd4f8a263a6584e0638d16754e22b

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
35595f2cea42e874af41fa9ffed4d442

SHA1
ae6674c9c2a00dce014ac87f2d034277b4d14ba9

SHA256
4420d5fab0f071599e8c1eff7535463556ca4f858722f3332debe7cde0df9e45

SHA512
c26deb290f2937f60844a796e6cf1e6f172d799e11a326239678e25e4710a706a8b0b471b030b49aa6703d140cc8c74380ec25ab7e32abd1566ff0e08b79af77

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
29d130402fa0a113e05f14f8f3083cfa

SHA1
d3633ad0d9bfefe8ecf322d7d835c982334a0b5a

SHA256
a386c2bc67c1758a96bf6011dbd2b95dfacbb58e7ff5e03dee055bdd7edb7f57

SHA512
57c51ac74f3031a08899809bab08c95055cf55427bdf7a5f01023fb3a70c68b5e203c6618d797a950cd88efee251f02e933295cf2408d340bbe9a6fb14f26c8d

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
7ed0fad2a0c02f616910dcbb104619f9

SHA1
8a855975e5d68db6108cd16f5d2a7fbf5db6fbc4

SHA256
7028fb04abd3484e395b1ddd67677f272dc8b8e35dc4d58018ae0d6c124707b4

SHA512
b6aae98b067b0eba9d7651bf8e8230b7dd963414e28099c585c233b8dea8bda7581cb4bcccadbbde895264a23af02249d9320d0de344dc67f07adc05de1f782a

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
c31b7e6120cc8914910f18530821753f

SHA1
4b5e64cd089c3189cde1c54066de16496e425054

SHA256
1686079ee09a857eb04e6bcb957a7ce64cdb732dc060371d5f14c91b4d5252a8

SHA512
3c79483cc657d20147f0b9d194edc3e322f56547bb92ef399f5b534f69b526c0959ab9966021f810227d3a416f77912ab4b0b4eeb36a2fd2e396c468c365d906

Download Submit
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\94308059B57B3142E455B38A6EB92015

Filesize
342B

MD5
8fe4d9b75320286e9fb31eb742f6d735

SHA1
1bfa1f98f3aedfa917df33413e469e88d3d2b848

SHA256
87e9dc25289239bba9b1b0347d12257e658f0a0c398d4fb9bb38faa2d3d89715

SHA512
3322f122fddc251577ef28c4f852097f9ff03fa426f136297bebfe1cc6ad3ead72fefa61b69a4502826bd0b2fba3ba151a3278d115225942230ab30cc73448cd

Download Submit
C:\Users\Admin\AppData\Local\Temp\CabB3E7.tmp

Filesize
70KB

MD5
49aebf8cbd62d92ac215b2923fb1b9f5

SHA1
1723be06719828dda65ad804298d0431f6aff976

SHA256
b33efcb95235b98b48508e019afa4b7655e80cf071defabd8b2123fc8b29307f

SHA512
bf86116b015fb56709516d686e168e7c9c68365136231cc51d0b6542ae95323a71d2c7acec84aad7dcecc2e410843f6d82a0a6d51b9acfc721a9c84fdd877b5b

Download Submit
C:\Users\Admin\AppData\Local\Temp\DTURA.bat

Filesize
135B

MD5
1637799904f81b231108ddb0a8f5dd0d

SHA1
d83c57bc03aa9b72f1b4f6fb6037106724d45bf2

SHA256
1d5b20c7546aeed9bcfc42e2b7a7a63cbb4ad6949fd1e87c16e7ec64c7d22a78

SHA512
6a4cef84a10a7dc7e0ecde3f780c16aa93405738dc688df39f775e4799b29298fda36920ed078d287fe0fcf88ae4f0271cd752df65ee282866d5091ec3e3d553

Download Submit
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_02e2120ae73f45f30fe140d7b6e90d98.exe

Filesize
760KB

MD5
02e2120ae73f45f30fe140d7b6e90d98

SHA1
3220919465989236c7a886e4816236c738b3abc5

SHA256
034dd5f6be4f9da37e326472542f527b921443939b1b41b2f4ac1371f475c26a

SHA512
9e6bf2c2c4ccd8d7edc5b4ccda5fe461306a1826be379c2e8845b6b95ab5770ff0488559dbcda54e1ffdb4039104b58a2eef42b10e73eebb8b874ea94844e21e

Download Submit
C:\Users\Admin\AppData\Local\Temp\TarB457.tmp

Filesize
181KB

MD5
4ea6026cf93ec6338144661bf1202cd1

SHA1
a1dec9044f750ad887935a01430bf49322fbdcb7

SHA256
8efbc21559ef8b1bcf526800d8070baad42474ce7198e26fa771dbb41a76b1d8

SHA512
6c7e0980e39aacf4c3689802353f464a08cd17753bd210ee997e5f2a455deb4f287a9ef74d84579dbde49bc96213cd2b8b247723919c412ea980aa6e6bfe218b

Download Submit
\Users\Admin\AppData\Roaming\nono\news.exe

Filesize
760KB

MD5
7d57f7278af22a3e53b2758bcfda75fa

SHA1
1513ef4a24756c965d9c27ab1823298f33b30504

SHA256
91a338963235b1291095d07afdd68331c3b59971ce6a68cab7c096efdae17888

SHA512
63d1e5901d55c1782f0faf08ad1eccb1d9b07dfffbd5f65635b61b84cfb33ccc15c72556f3b68622c9c332ded252e212a06717ff9274b54387570e3cf1eefa53

Download Submit
memory/2032-153-0x0000000000400000-0x00000000004B2000-memory.dmp

Filesize
712KB

Download
memory/2584-35-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2584-37-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2584-158-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2584-43-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2584-41-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

Filesize
4KB

Download
memory/2584-49-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2584-39-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2584-48-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2584-47-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2584-46-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2584-162-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2728-26-0x0000000002660000-0x0000000002707000-memory.dmp

Filesize
668KB

Download
memory/2728-8-0x0000000000260000-0x0000000000261000-memory.dmp

Filesize
4KB

Download
memory/2892-591-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/2892-159-0x0000000000400000-0x000000000040B000-memory.dmp

Filesize
44KB

Download
memory/3020-116-0x0000000002500000-0x00000000025A7000-memory.dmp

Filesize
668KB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Enterprise v15

Replay Monitor

Loading Replay Monitor...

Downloads