Malware Analysis Report

2025-04-13 22:44

Sample ID 250301-g94rhaszcs
Target JaffaCakes118_374e6afe24154e3613673122861ce0cf
SHA256 ae3507004a75fcdd9a75b8453ef276328cf089476ce0d840c027feaf0056f13d
Tags
darkcomet guest16 discovery persistence rat trojan
score
10/10

Table of Contents

Analysis Overview

MITRE ATT&CK

Enterprise Matrix V15

Analysis: static1

Detonation Overview

Signatures

Analysis: behavioral1

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis: behavioral2

Detonation Overview

Command Line

Signatures

Processes

Network

Files

Analysis Overview

score
10/10

SHA256

ae3507004a75fcdd9a75b8453ef276328cf089476ce0d840c027feaf0056f13d

Threat Level: Known bad

The file JaffaCakes118_374e6afe24154e3613673122861ce0cf was found to be: Known bad.

Malicious Activity Summary

darkcomet guest16 discovery persistence rat trojan

Modifies WinLogon for persistence

Darkcomet family

Darkcomet

Drops startup file

Executes dropped EXE

Uses the VBS compiler for execution

Loads dropped DLL

Checks computer location settings

Drops desktop.ini file(s)

Adds Run key to start application

Suspicious use of SetThreadContext

Drops file in Windows directory

Unsigned PE

Enumerates physical storage devices

System Location Discovery: System Language Discovery

Suspicious use of WriteProcessMemory

Suspicious use of AdjustPrivilegeToken

Modifies registry class

MITRE ATT&CK

Analysis: static1

Detonation Overview

Reported

2025-03-01 06:31

Signatures

Unsigned PE

Description Indicator Process Target
N/A N/A N/A N/A

Analysis: behavioral1

Detonation Overview

Submitted

2025-03-01 06:31

Reported

2025-03-01 06:33

Platform

win7-20240729-en

Max time kernel

117s

Max time network

121s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe"

Signatures

Darkcomet

trojan rat darkcomet

Darkcomet family

darkcomet

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Drops startup file

Description Indicator Process Target
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe C:\Users\Admin\AppData\Roaming\639624.exe N/A
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe C:\Users\Admin\AppData\Roaming\639624.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\639624.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2700 set thread context of 2988 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\639624.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: 34 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: 35 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2700 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2700 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2700 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2700 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2700 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2700 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2700 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2700 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2700 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2700 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2700 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2700 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2700 wrote to memory of 2988 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2700 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2700 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2700 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2700 wrote to memory of 2668 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2668 wrote to memory of 2584 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2668 wrote to memory of 2584 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2668 wrote to memory of 2584 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2668 wrote to memory of 2584 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2988 wrote to memory of 2604 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
PID 2988 wrote to memory of 2604 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
PID 2988 wrote to memory of 2604 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
PID 2988 wrote to memory of 2604 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
PID 2700 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe C:\Users\Admin\AppData\Roaming\639624.exe
PID 2700 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe C:\Users\Admin\AppData\Roaming\639624.exe
PID 2700 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe C:\Users\Admin\AppData\Roaming\639624.exe
PID 2700 wrote to memory of 1552 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe C:\Users\Admin\AppData\Roaming\639624.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\omzthacu.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES36E9.tmp" "C:\Users\Admin\AppData\Local\Temp\vbc36E8.tmp"

C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"

C:\Users\Admin\AppData\Roaming\639624.exe

"C:\Users\Admin\AppData\Roaming\639624.exe"

Network

N/A

Files

memory/2700-0-0x0000000074351000-0x0000000074352000-memory.dmp

memory/2700-1-0x0000000074350000-0x00000000748FB000-memory.dmp

memory/2700-2-0x0000000074350000-0x00000000748FB000-memory.dmp

memory/2988-3-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2988-9-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2988-8-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2988-7-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2988-5-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2988-21-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2988-20-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2988-19-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2988-16-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2988-12-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2988-15-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2988-13-0x000000007EFDE000-0x000000007EFDF000-memory.dmp

memory/2988-11-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2988-10-0x0000000000400000-0x00000000004B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\omzthacu.cmdline

MD5 1f7c5e7bedd13d75e15acca15021ed44
SHA1 6f0ae2a03cb9e497d151ec1957f0e3859321c556
SHA256 147e940988ca7c8ac2fab3008fa4ce28b4b77a5b0158e7597bd8ec72d083be05
SHA512 a8b21be5faff7f34dbccce3ed9241d359a9924179f949b5a2480febe8a3f502252d9b114cff911417eddc2b4d80df7c0b821f51331cb06954841228fa060d179

C:\Users\Admin\AppData\Local\Temp\omzthacu.0.vb

MD5 f5555e48384cd68aa11b1bd87b77a787
SHA1 46d9a88b64161f24a54beee58613dbcbaadfe509
SHA256 17617822583638e9f98c05066a19254fbefe9ffeed6890f0a99f65b44af0bd91
SHA512 41300bfa2c0c16b3f794594b5bfe4fbc85ec257bdd930b0ae4d151ad6a9869b5a22dbd9ddd8f834fe8096c56cf9f5d5c1553148c5e4c84f430f2e305f28d75f7

memory/2668-27-0x0000000000400000-0x000000000051E000-memory.dmp

memory/2668-36-0x0000000000400000-0x000000000051E000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\RES36E9.tmp

MD5 a5f452e06875da32b03e6bfcbf0ad59c
SHA1 fd3b5db5bf5662f88d2f04c83976cd3b0456b796
SHA256 6e543785f2f05f9804196d07b93f42da7a88dc9e9beda6d3e3d670670bc6a95f
SHA512 dddf90876ddedf1a4da9580e3a0e4c96809d425000e629302fdd192f419689603634b22e033a2e627c3c655e4be08c4125b72641b18870cd29da8fdb11a32f6c

C:\Users\Admin\AppData\Local\Temp\vbc36E8.tmp

MD5 0ede81a10d8a8470634485061fe0a1d3
SHA1 5fdb47474f188620014469d2e98014de230bef9d
SHA256 08ab7778187d0e4c751e38a6bd395c0380088609b2663addc55e75a1ef6ed7e2
SHA512 7abae6d02b34d01ef2dd8fada7e25885974846ca2379e589e72fe6680684bef0698afce8679fca0026f2b78eb7473f2e4075291d0c687ca1755021482898ea70

C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

MD5 34aa912defa18c2c129f1e09d75c1d7e
SHA1 9c3046324657505a30ecd9b1fdb46c05bde7d470
SHA256 6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386
SHA512 d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98

memory/2988-44-0x0000000000400000-0x00000000004B2000-memory.dmp

C:\Users\Admin\AppData\Roaming\639624.exe

MD5 0d0c6e4452ee6c82c0e4eda6631826e3
SHA1 b134efd9a8f94c8a7e998bc9e508e594fab59493
SHA256 87749799af8245411a11367ba00d99de4205adbe5a2e2ad17b428b1330343bdb
SHA512 fcac53f4c1b0a97b707d49182c590216ee4006a453ec73620b11a9746c21d201b22603341ae58dd087e18b5ea690eb7212f72b07fac24ebf1eb105283896bd1b

memory/2700-51-0x0000000074350000-0x00000000748FB000-memory.dmp

Analysis: behavioral2

Detonation Overview

Submitted

2025-03-01 06:31

Reported

2025-03-01 06:33

Platform

win10v2004-20250217-en

Max time kernel

144s

Max time network

130s

Command Line

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe"

Signatures

Darkcomet

trojan rat darkcomet

Darkcomet family

darkcomet

Modifies WinLogon for persistence

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Checks computer location settings

Description Indicator Process Target
Key value queried \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe N/A

Drops startup file

Description Indicator Process Target
File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe C:\Users\Admin\AppData\Roaming\246535.exe N/A
File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe C:\Users\Admin\AppData\Roaming\246535.exe N/A

Executes dropped EXE

Description Indicator Process Target
N/A N/A C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
N/A N/A C:\Users\Admin\AppData\Roaming\246535.exe N/A

Uses the VBS compiler for execution

Adds Run key to start application

persistence
Description Indicator Process Target
Set value (str) \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Drops desktop.ini file(s)

Description Indicator Process Target
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe N/A

Suspicious use of SetThreadContext

Description Indicator Process Target
PID 2312 set thread context of 2556 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

Drops file in Windows directory

Description Indicator Process Target
File opened for modification C:\Windows\assembly C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe N/A
File created C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe N/A
File opened for modification C:\Windows\assembly\Desktop.ini C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe N/A

Enumerates physical storage devices

System Location Discovery: System Language Discovery

discovery
Description Indicator Process Target
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\Documents\MSDCSC\msdcsc.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Roaming\246535.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe N/A
Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Modifies registry class

Description Indicator Process Target
Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious use of AdjustPrivilegeToken

Description Indicator Process Target
Token: SeIncreaseQuotaPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeSecurityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeTakeOwnershipPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeLoadDriverPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeSystemProfilePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeSystemtimePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeProfSingleProcessPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeIncBasePriorityPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeCreatePagefilePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeBackupPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeRestorePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeDebugPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeSystemEnvironmentPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeChangeNotifyPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeRemoteShutdownPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeUndockPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeManageVolumePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeImpersonatePrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: SeCreateGlobalPrivilege N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: 33 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: 34 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: 35 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A
Token: 36 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe N/A

Suspicious use of WriteProcessMemory

Description Indicator Process Target
PID 2312 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2312 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2312 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2312 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2312 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2312 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2312 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2312 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2312 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2312 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2312 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2312 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2312 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2312 wrote to memory of 2556 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2312 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2312 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 2312 wrote to memory of 1692 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
PID 1692 wrote to memory of 3672 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1692 wrote to memory of 3672 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 1692 wrote to memory of 3672 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe
PID 2556 wrote to memory of 2668 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
PID 2556 wrote to memory of 2668 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
PID 2556 wrote to memory of 2668 N/A C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
PID 2312 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe C:\Users\Admin\AppData\Roaming\246535.exe
PID 2312 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe C:\Users\Admin\AppData\Roaming\246535.exe
PID 2312 wrote to memory of 4356 N/A C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe C:\Users\Admin\AppData\Roaming\246535.exe

Processes

C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe

"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe

"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wg1flxsj.cmdline"

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe

C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES10A0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE6C442FDB7514821B5B3546D3AB8B4A6.TMP"

C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"

C:\Users\Admin\AppData\Roaming\246535.exe

"C:\Users\Admin\AppData\Roaming\246535.exe"

Network

Country Destination Domain Proto
US 8.8.8.8:53 g.bing.com udp
US 150.171.28.10:443 g.bing.com tcp
US 8.8.8.8:53 tse1.mm.bing.net udp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp
US 150.171.27.10:443 tse1.mm.bing.net tcp

Files

memory/2312-0-0x00000000746E2000-0x00000000746E3000-memory.dmp

memory/2312-1-0x00000000746E0000-0x0000000074C91000-memory.dmp

memory/2312-2-0x00000000746E0000-0x0000000074C91000-memory.dmp

memory/2556-5-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2556-6-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2556-11-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2556-7-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2556-12-0x0000000000400000-0x00000000004B2000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wg1flxsj.cmdline

MD5 f7cc3e92b0cad61d8238100483da1f2e
SHA1 6ade823dea52af3f83853e06eac52dcd377de710
SHA256 19e98299b48a4136ce17dcd60a47027079b262ffa718aab27c432bfb778152f5
SHA512 dd054c219d9a1939d6cc64c77a19a1748f3cfe1d4785c6a0dbf92ddea8cc3e10b9d14ccf86049da218b068de4963ea800e73476134218b7cde5bf033a976364d

C:\Users\Admin\Documents\MSDCSC\msdcsc.exe

MD5 d881de17aa8f2e2c08cbb7b265f928f9
SHA1 08936aebc87decf0af6e8eada191062b5e65ac2a
SHA256 b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0
SHA512 5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34

memory/1692-23-0x0000000000400000-0x000000000051F000-memory.dmp

C:\Users\Admin\AppData\Local\Temp\wg1flxsj.0.vb

MD5 26b5026eab85d8e3d21427ffeba6c8a3
SHA1 b2361ad23c266730e9af34500be54ff9391961b7
SHA256 d36997f507d4ca2e49640d979b558b819fe494ecaa678d587fe19f8d018d68ca
SHA512 4306e5e1b4657c55dced4ec2428edff313672fd675af197eee25ca7306a5512f8df7f42fab2253614f6a851c1f44ca3793fa062fdc199a8bf7647c89c723559d

C:\Users\Admin\AppData\Local\Temp\vbcE6C442FDB7514821B5B3546D3AB8B4A6.TMP

MD5 459f17fff65bc1f8d8f876e58626f93f
SHA1 984986836d1bfe17c5bce7939bb96f08ca5ea182
SHA256 852e11326fe00a3ce5affd5dbb6258a4e5c6956e2c2654c7371e6c73b1644cd0
SHA512 312c9a9507c37087d2799ae062723651e752c50fe3bb43cd42d214fcb830c3d6196d24dad0812a1bc14700175689a6aa21db411623fe432071191801182c0e93

C:\Users\Admin\AppData\Local\Temp\RES10A0.tmp

MD5 e1c60275e242fff8001bcb7c9c23e34b
SHA1 3a4c069c6751c54828874df05d09e7f11e322228
SHA256 8f0bb6401a89267e375ef282651679bb448ac0141423759ffd95b7a6f160ccb3
SHA512 c9e77a1cded24b1aefa50e47563d77ee30da69d9d6b7584c2c7323561bc7f01fee99d5baf5e54342d57801e3e40cfb60e3b8a281427eb5347852b3f3968646fd

memory/1692-74-0x0000000000400000-0x000000000051F000-memory.dmp

memory/2556-86-0x0000000000400000-0x00000000004B2000-memory.dmp

memory/2312-88-0x00000000746E2000-0x00000000746E3000-memory.dmp

memory/2312-89-0x00000000746E0000-0x0000000074C91000-memory.dmp

C:\Users\Admin\AppData\Roaming\246535.exe

MD5 e08e1baaee539c9a015b7b986dd2e344
SHA1 513e172e1574b3cf6d44ec2b8f4881ae69e97201
SHA256 e38c599dcd27791a425d66c4f2e112b8a2788a84ef0da88282f745d8b7aff3ca
SHA512 71aa40d91bc1c090ff89b88033cdac0b6ac01d0512fb514e0b1739e074e1758f76f5cdb17a591c318a7f5c219c83f5752ff1c2cbc746be2755d4398105ce461a

memory/2312-93-0x00000000746E0000-0x0000000074C91000-memory.dmp