Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
20/02/2025, 20:28
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe
Resource
win7-20241010-en
windows7-x64
27 signatures
150 seconds
Behavioral task
behavioral2
Sample
JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe
Resource
win10v2004-20250217-en
windows10-2004-x64
28 signatures
150 seconds
General
-
Target
JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe
-
Size
353KB
-
MD5
0e01525d20d82472d8f4f4baeceea7c0
-
SHA1
735ff695990bfc7a4b926297bb2c925da5d77da7
-
SHA256
b5880746d859edbfc53d9118d7ce6bad58c20e9f67270b1ffcfa4cfc177cb655
-
SHA512
65b350c6c28b66aad48f2427032d9b1df2926b50d8dc6868d4135dea49a26fc02d321b560b663198a856129e4a1893850e5c73b5cd7b3a95330137cb100868c0
-
SSDEEP
6144:2JD6KarVGMX0mNsVvpyTpZY63vwPOj4LOAhz6tUIBwWcOUl2jXQcXForOM/m1n6:uDGRsuspipaSSW4zhSBwWcODsc1aOM/Y
Malware Config
Extracted
Family
darkcomet
Botnet
oksha
C2
fuck-all.no-ip.info:277
Mutex
DC_MUTEX-0RTF6BF
Attributes
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
FkQYb2bTZw5j
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
rc4.plain
Extracted
Family
darkcomet
Attributes
- gencode
-
install
false
-
offline_keylogger
false
-
persistence
false
rc4.plain
Signatures
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe -
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msdcsc.exe -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" msdcsc.exe -
Windows security bypass 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 1028 attrib.exe 4976 attrib.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe -
Deletes itself 1 IoCs
pid Process 2652 notepad.exe -
Drops startup file 2 IoCs
description ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.pif JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\system.pif msdcsc.exe -
Executes dropped EXE 2 IoCs
pid Process 3468 msdcsc.exe 4672 msdcsc.exe -
Windows security modification 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 6 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\help = "C:\\Windows\\InstallDir\\help.exe" JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\help = "C:\\Windows\\InstallDir\\help.exe" JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\help = "C:\\Windows\\InstallDir\\help.exe" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\help = "C:\\Windows\\InstallDir\\help.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Drops file in System32 directory 4 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\MSDCSC\msdcsc.exe msdcsc.exe File created C:\Windows\SysWOW64\MSDCSC\msdcsc.exe JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\msdcsc.exe JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\ JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe -
Suspicious use of SetThreadContext 4 IoCs
description pid Process procid_target PID 2364 set thread context of 1140 2364 JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe 84 PID 2364 set thread context of 3984 2364 JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe 89 PID 3468 set thread context of 960 3468 msdcsc.exe 98 PID 3468 set thread context of 4672 3468 msdcsc.exe 100 -
resource yara_rule behavioral2/memory/1140-6-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3984-8-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3984-9-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3984-10-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3984-11-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3984-12-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3984-82-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4672-86-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4672-87-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4672-88-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4672-92-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4672-93-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4672-89-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4672-94-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4672-95-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4672-96-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4672-102-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4672-103-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4672-104-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4672-105-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4672-113-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4672-114-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4672-115-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4672-116-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4672-117-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4672-118-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4672-119-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4672-120-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\InstallDir\help.exe JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe File opened for modification C:\Windows\InstallDir\help.exe JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe File opened for modification C:\Windows\InstallDir\help.exe msdcsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "291697443" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31163350" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31163350" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE Set value (int) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "295604120" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Key created \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "446848280" iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Microsoft\Internet Explorer\VersionManager iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateLowDateTime = "277166591" iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Internet Explorer\VersionManager\LastCheckForUpdateHighDateTime = "31163350" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{3BF32476-EFC9-11EF-BCE7-D6A26BA1FAEA} = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Software\Microsoft\Internet Explorer\VersionManager IEXPLORE.EXE -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe -
Suspicious behavior: EnumeratesProcesses 4 IoCs
pid Process 2364 JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe 2364 JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe 3468 msdcsc.exe 3468 msdcsc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4672 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3984 JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe Token: SeSecurityPrivilege 3984 JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe Token: SeTakeOwnershipPrivilege 3984 JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe Token: SeLoadDriverPrivilege 3984 JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe Token: SeSystemProfilePrivilege 3984 JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe Token: SeSystemtimePrivilege 3984 JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe Token: SeProfSingleProcessPrivilege 3984 JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe Token: SeIncBasePriorityPrivilege 3984 JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe Token: SeCreatePagefilePrivilege 3984 JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe Token: SeBackupPrivilege 3984 JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe Token: SeRestorePrivilege 3984 JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe Token: SeShutdownPrivilege 3984 JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe Token: SeDebugPrivilege 3984 JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe Token: SeSystemEnvironmentPrivilege 3984 JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe Token: SeChangeNotifyPrivilege 3984 JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe Token: SeRemoteShutdownPrivilege 3984 JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe Token: SeUndockPrivilege 3984 JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe Token: SeManageVolumePrivilege 3984 JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe Token: SeImpersonatePrivilege 3984 JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe Token: SeCreateGlobalPrivilege 3984 JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe Token: 33 3984 JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe Token: 34 3984 JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe Token: 35 3984 JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe Token: 36 3984 JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe Token: SeIncreaseQuotaPrivilege 4672 msdcsc.exe Token: SeSecurityPrivilege 4672 msdcsc.exe Token: SeTakeOwnershipPrivilege 4672 msdcsc.exe Token: SeLoadDriverPrivilege 4672 msdcsc.exe Token: SeSystemProfilePrivilege 4672 msdcsc.exe Token: SeSystemtimePrivilege 4672 msdcsc.exe Token: SeProfSingleProcessPrivilege 4672 msdcsc.exe Token: SeIncBasePriorityPrivilege 4672 msdcsc.exe Token: SeCreatePagefilePrivilege 4672 msdcsc.exe Token: SeBackupPrivilege 4672 msdcsc.exe Token: SeRestorePrivilege 4672 msdcsc.exe Token: SeShutdownPrivilege 4672 msdcsc.exe Token: SeDebugPrivilege 4672 msdcsc.exe Token: SeSystemEnvironmentPrivilege 4672 msdcsc.exe Token: SeChangeNotifyPrivilege 4672 msdcsc.exe Token: SeRemoteShutdownPrivilege 4672 msdcsc.exe Token: SeUndockPrivilege 4672 msdcsc.exe Token: SeManageVolumePrivilege 4672 msdcsc.exe Token: SeImpersonatePrivilege 4672 msdcsc.exe Token: SeCreateGlobalPrivilege 4672 msdcsc.exe Token: 33 4672 msdcsc.exe Token: 34 4672 msdcsc.exe Token: 35 4672 msdcsc.exe Token: 36 4672 msdcsc.exe -
Suspicious use of FindShellTrayWindow 2 IoCs
pid Process 1140 iexplore.exe 1140 iexplore.exe -
Suspicious use of SetWindowsHookEx 11 IoCs
pid Process 1140 iexplore.exe 1140 iexplore.exe 796 IEXPLORE.EXE 796 IEXPLORE.EXE 1140 iexplore.exe 1140 iexplore.exe 3812 IEXPLORE.EXE 3812 IEXPLORE.EXE 4672 msdcsc.exe 3812 IEXPLORE.EXE 3812 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2364 wrote to memory of 1140 2364 JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe 84 PID 2364 wrote to memory of 1140 2364 JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe 84 PID 2364 wrote to memory of 1140 2364 JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe 84 PID 2364 wrote to memory of 1140 2364 JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe 84 PID 2364 wrote to memory of 1140 2364 JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe 84 PID 2364 wrote to memory of 1140 2364 JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe 84 PID 1140 wrote to memory of 796 1140 iexplore.exe 86 PID 1140 wrote to memory of 796 1140 iexplore.exe 86 PID 1140 wrote to memory of 796 1140 iexplore.exe 86 PID 2364 wrote to memory of 3984 2364 JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe 89 PID 2364 wrote to memory of 3984 2364 JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe 89 PID 2364 wrote to memory of 3984 2364 JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe 89 PID 2364 wrote to memory of 3984 2364 JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe 89 PID 2364 wrote to memory of 3984 2364 JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe 89 PID 2364 wrote to memory of 3984 2364 JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe 89 PID 2364 wrote to memory of 3984 2364 JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe 89 PID 2364 wrote to memory of 3984 2364 JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe 89 PID 3984 wrote to memory of 1744 3984 JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe 90 PID 3984 wrote to memory of 1744 3984 JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe 90 PID 3984 wrote to memory of 1744 3984 JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe 90 PID 3984 wrote to memory of 1060 3984 JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe 92 PID 3984 wrote to memory of 1060 3984 JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe 92 PID 3984 wrote to memory of 1060 3984 JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe 92 PID 3984 wrote to memory of 2652 3984 JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe 93 PID 3984 wrote to memory of 2652 3984 JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe 93 PID 3984 wrote to memory of 2652 3984 JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe 93 PID 3984 wrote to memory of 2652 3984 JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe 93 PID 3984 wrote to memory of 2652 3984 JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe 93 PID 3984 wrote to memory of 2652 3984 JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe 93 PID 3984 wrote to memory of 2652 3984 JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe 93 PID 3984 wrote to memory of 2652 3984 JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe 93 PID 3984 wrote to memory of 2652 3984 JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe 93 PID 3984 wrote to memory of 2652 3984 JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe 93 PID 3984 wrote to memory of 2652 3984 JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe 93 PID 3984 wrote to memory of 2652 3984 JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe 93 PID 3984 wrote to memory of 2652 3984 JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe 93 PID 3984 wrote to memory of 2652 3984 JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe 93 PID 3984 wrote to memory of 2652 3984 JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe 93 PID 3984 wrote to memory of 2652 3984 JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe 93 PID 3984 wrote to memory of 2652 3984 JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe 93 PID 1744 wrote to memory of 1028 1744 cmd.exe 95 PID 1744 wrote to memory of 1028 1744 cmd.exe 95 PID 1744 wrote to memory of 1028 1744 cmd.exe 95 PID 1060 wrote to memory of 4976 1060 cmd.exe 96 PID 1060 wrote to memory of 4976 1060 cmd.exe 96 PID 1060 wrote to memory of 4976 1060 cmd.exe 96 PID 3984 wrote to memory of 3468 3984 JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe 97 PID 3984 wrote to memory of 3468 3984 JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe 97 PID 3984 wrote to memory of 3468 3984 JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe 97 PID 3468 wrote to memory of 960 3468 msdcsc.exe 98 PID 3468 wrote to memory of 960 3468 msdcsc.exe 98 PID 3468 wrote to memory of 960 3468 msdcsc.exe 98 PID 3468 wrote to memory of 960 3468 msdcsc.exe 98 PID 3468 wrote to memory of 960 3468 msdcsc.exe 98 PID 3468 wrote to memory of 960 3468 msdcsc.exe 98 PID 1140 wrote to memory of 3812 1140 iexplore.exe 99 PID 1140 wrote to memory of 3812 1140 iexplore.exe 99 PID 1140 wrote to memory of 3812 1140 iexplore.exe 99 PID 3468 wrote to memory of 4672 3468 msdcsc.exe 100 PID 3468 wrote to memory of 4672 3468 msdcsc.exe 100 PID 3468 wrote to memory of 4672 3468 msdcsc.exe 100 PID 3468 wrote to memory of 4672 3468 msdcsc.exe 100 PID 3468 wrote to memory of 4672 3468 msdcsc.exe 100 PID 3468 wrote to memory of 4672 3468 msdcsc.exe 100 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 1028 attrib.exe 4976 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe"1⤵
- Drops startup file
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1140 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1140 CREDAT:17410 /prefetch:23⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:796
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1140 CREDAT:82948 /prefetch:23⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:3812
-
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3984 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe" +s +h3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1744 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0e01525d20d82472d8f4f4baeceea7c0.exe" +s +h4⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1028
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1060 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h4⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:4976
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2652
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"3⤵
- Drops startup file
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3468 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
- Modifies Internet Explorer settings
PID:960
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exeC:\Windows\SysWOW64\MSDCSC\msdcsc.exe4⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4672 -
C:\Windows\SysWOW64\notepad.exenotepad5⤵
- System Location Discovery: System Language Discovery
PID:3972
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
3Disable or Modify System Firewall
1Disable or Modify Tools
2Modify Registry
7Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\31976568FBE31D20174C3FAC50D34698_2224EF112EEB7D5CE6B913D61620C791
Filesize471B
MD5881287304b8b6e00a8b8600f92dcf2f5
SHA18cd1a8b77451d6bdf49ef84248acf32e0dde3590
SHA2562478c5003b3e7cbb54c40a6944bc821b583d521ecd1c879e261491800a853a24
SHA5122e8bdd1c0dbc3ffed38b63172bae99e443de5763d8ef40c1cc6ee32f38f4b0cf258ef1dbc2a7577c6783fc0a84dd1e57b79f11db90789c6c45394bebba2b48b5
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\31976568FBE31D20174C3FAC50D34698_2224EF112EEB7D5CE6B913D61620C791
Filesize400B
MD54c2f1bb2b29b91efa2c6eceb698cd689
SHA17421afc4c95ef742eb5c5367f67c770dd11cb742
SHA2568ed7276b174cd2d38a744b295ca68b4afb62ed678a8df0df16439a5e7fce8668
SHA512905332604256e8ab75863b4ab6ac73a40dc21a25825296afaa247429d53c6f7c39a9165fd060aeed170a8d3bd892034abbaae29747112bc2779bf6528b91df6d
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
353KB
MD50e01525d20d82472d8f4f4baeceea7c0
SHA1735ff695990bfc7a4b926297bb2c925da5d77da7
SHA256b5880746d859edbfc53d9118d7ce6bad58c20e9f67270b1ffcfa4cfc177cb655
SHA51265b350c6c28b66aad48f2427032d9b1df2926b50d8dc6868d4135dea49a26fc02d321b560b663198a856129e4a1893850e5c73b5cd7b3a95330137cb100868c0