Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20250314-en -
resource tags
arch:x64arch:x86image:win10v2004-20250314-enlocale:en-usos:windows10-2004-x64system -
submitted
29/03/2025, 19:59
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_96a686bb248a355f9a720d9bf61ef064.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_96a686bb248a355f9a720d9bf61ef064.exe
Resource
win10v2004-20250314-en
General
-
Target
JaffaCakes118_96a686bb248a355f9a720d9bf61ef064.exe
-
Size
944KB
-
MD5
96a686bb248a355f9a720d9bf61ef064
-
SHA1
b2a5177dfcdaa530c80f90f941de179ee2fb7b13
-
SHA256
6738adf5533e75a138acd4a3529e06c684358e6357ed35032e2754f410bcb0fd
-
SHA512
9f620190913834951e0374975554d15d00b596c15a9580fd81ad3301b76ba9387ceca3a7d261436d47178f848432a5e612584ab2f20a4d9aa4035f73ac0509a2
-
SSDEEP
24576:hI1FoXBnpw8bzRhObDkvEbSDKC2UmKaHZfKYYPi:hMYBny0zD0DkvG8mKQCYY6
Malware Config
Extracted
darkcomet
Guest16
rawezhhacker.no-ip.org:1604
DC_MUTEX-X873AH0
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
XcXCPdfMkCy9
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" JaffaCakes118_96a686bb248a355f9a720d9bf61ef064.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 680 attrib.exe 3340 attrib.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\Control Panel\International\Geo\Nation JaffaCakes118_96a686bb248a355f9a720d9bf61ef064.exe -
Deletes itself 1 IoCs
pid Process 972 notepad.exe -
Executes dropped EXE 38 IoCs
pid Process 3168 msdcsc.exe 1476 msdcsc.exe 4572 msdcsc.exe 2868 msdcsc.exe 1192 msdcsc.exe 2732 msdcsc.exe 2944 msdcsc.exe 1344 msdcsc.exe 2336 msdcsc.exe 4160 msdcsc.exe 680 msdcsc.exe 3604 msdcsc.exe 4800 msdcsc.exe 4168 msdcsc.exe 4528 msdcsc.exe 384 msdcsc.exe 1948 msdcsc.exe 2000 msdcsc.exe 3236 msdcsc.exe 1464 msdcsc.exe 2280 msdcsc.exe 3512 msdcsc.exe 5112 msdcsc.exe 4028 msdcsc.exe 5080 msdcsc.exe 1652 msdcsc.exe 1048 msdcsc.exe 3176 msdcsc.exe 4884 msdcsc.exe 4140 msdcsc.exe 4948 msdcsc.exe 1296 msdcsc.exe 376 msdcsc.exe 2704 msdcsc.exe 3116 msdcsc.exe 2640 msdcsc.exe 2136 msdcsc.exe 3140 msdcsc.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" JaffaCakes118_96a686bb248a355f9a720d9bf61ef064.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3218366390-1258052702-4267193707-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Suspicious use of SetThreadContext 22 IoCs
description pid Process procid_target PID 4672 set thread context of 5004 4672 JaffaCakes118_96a686bb248a355f9a720d9bf61ef064.exe 88 PID 3168 set thread context of 1476 3168 msdcsc.exe 99 PID 1476 set thread context of 4656 1476 msdcsc.exe 100 PID 4572 set thread context of 1192 4572 msdcsc.exe 107 PID 1192 set thread context of 4008 1192 msdcsc.exe 108 PID 2868 set thread context of 2732 2868 msdcsc.exe 111 PID 2944 set thread context of 1344 2944 msdcsc.exe 118 PID 2336 set thread context of 4160 2336 msdcsc.exe 120 PID 680 set thread context of 3604 680 msdcsc.exe 130 PID 4800 set thread context of 4168 4800 msdcsc.exe 135 PID 4528 set thread context of 384 4528 msdcsc.exe 141 PID 1948 set thread context of 2000 1948 msdcsc.exe 147 PID 3236 set thread context of 1464 3236 msdcsc.exe 156 PID 2280 set thread context of 3512 2280 msdcsc.exe 160 PID 5112 set thread context of 4028 5112 msdcsc.exe 164 PID 5080 set thread context of 1652 5080 msdcsc.exe 169 PID 1048 set thread context of 3176 1048 msdcsc.exe 173 PID 4884 set thread context of 4140 4884 msdcsc.exe 177 PID 4948 set thread context of 1296 4948 msdcsc.exe 181 PID 376 set thread context of 2704 376 msdcsc.exe 185 PID 3116 set thread context of 2640 3116 msdcsc.exe 189 PID 2136 set thread context of 3140 2136 msdcsc.exe 193 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 48 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iexplore.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_96a686bb248a355f9a720d9bf61ef064.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_96a686bb248a355f9a720d9bf61ef064.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iexplore.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ JaffaCakes118_96a686bb248a355f9a720d9bf61ef064.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2732 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 5004 JaffaCakes118_96a686bb248a355f9a720d9bf61ef064.exe Token: SeSecurityPrivilege 5004 JaffaCakes118_96a686bb248a355f9a720d9bf61ef064.exe Token: SeTakeOwnershipPrivilege 5004 JaffaCakes118_96a686bb248a355f9a720d9bf61ef064.exe Token: SeLoadDriverPrivilege 5004 JaffaCakes118_96a686bb248a355f9a720d9bf61ef064.exe Token: SeSystemProfilePrivilege 5004 JaffaCakes118_96a686bb248a355f9a720d9bf61ef064.exe Token: SeSystemtimePrivilege 5004 JaffaCakes118_96a686bb248a355f9a720d9bf61ef064.exe Token: SeProfSingleProcessPrivilege 5004 JaffaCakes118_96a686bb248a355f9a720d9bf61ef064.exe Token: SeIncBasePriorityPrivilege 5004 JaffaCakes118_96a686bb248a355f9a720d9bf61ef064.exe Token: SeCreatePagefilePrivilege 5004 JaffaCakes118_96a686bb248a355f9a720d9bf61ef064.exe Token: SeBackupPrivilege 5004 JaffaCakes118_96a686bb248a355f9a720d9bf61ef064.exe Token: SeRestorePrivilege 5004 JaffaCakes118_96a686bb248a355f9a720d9bf61ef064.exe Token: SeShutdownPrivilege 5004 JaffaCakes118_96a686bb248a355f9a720d9bf61ef064.exe Token: SeDebugPrivilege 5004 JaffaCakes118_96a686bb248a355f9a720d9bf61ef064.exe Token: SeSystemEnvironmentPrivilege 5004 JaffaCakes118_96a686bb248a355f9a720d9bf61ef064.exe Token: SeChangeNotifyPrivilege 5004 JaffaCakes118_96a686bb248a355f9a720d9bf61ef064.exe Token: SeRemoteShutdownPrivilege 5004 JaffaCakes118_96a686bb248a355f9a720d9bf61ef064.exe Token: SeUndockPrivilege 5004 JaffaCakes118_96a686bb248a355f9a720d9bf61ef064.exe Token: SeManageVolumePrivilege 5004 JaffaCakes118_96a686bb248a355f9a720d9bf61ef064.exe Token: SeImpersonatePrivilege 5004 JaffaCakes118_96a686bb248a355f9a720d9bf61ef064.exe Token: SeCreateGlobalPrivilege 5004 JaffaCakes118_96a686bb248a355f9a720d9bf61ef064.exe Token: 33 5004 JaffaCakes118_96a686bb248a355f9a720d9bf61ef064.exe Token: 34 5004 JaffaCakes118_96a686bb248a355f9a720d9bf61ef064.exe Token: 35 5004 JaffaCakes118_96a686bb248a355f9a720d9bf61ef064.exe Token: 36 5004 JaffaCakes118_96a686bb248a355f9a720d9bf61ef064.exe Token: SeIncreaseQuotaPrivilege 1476 msdcsc.exe Token: SeSecurityPrivilege 1476 msdcsc.exe Token: SeTakeOwnershipPrivilege 1476 msdcsc.exe Token: SeLoadDriverPrivilege 1476 msdcsc.exe Token: SeSystemProfilePrivilege 1476 msdcsc.exe Token: SeSystemtimePrivilege 1476 msdcsc.exe Token: SeProfSingleProcessPrivilege 1476 msdcsc.exe Token: SeIncBasePriorityPrivilege 1476 msdcsc.exe Token: SeCreatePagefilePrivilege 1476 msdcsc.exe Token: SeBackupPrivilege 1476 msdcsc.exe Token: SeRestorePrivilege 1476 msdcsc.exe Token: SeShutdownPrivilege 1476 msdcsc.exe Token: SeDebugPrivilege 1476 msdcsc.exe Token: SeSystemEnvironmentPrivilege 1476 msdcsc.exe Token: SeChangeNotifyPrivilege 1476 msdcsc.exe Token: SeRemoteShutdownPrivilege 1476 msdcsc.exe Token: SeUndockPrivilege 1476 msdcsc.exe Token: SeManageVolumePrivilege 1476 msdcsc.exe Token: SeImpersonatePrivilege 1476 msdcsc.exe Token: SeCreateGlobalPrivilege 1476 msdcsc.exe Token: 33 1476 msdcsc.exe Token: 34 1476 msdcsc.exe Token: 35 1476 msdcsc.exe Token: 36 1476 msdcsc.exe Token: SeIncreaseQuotaPrivilege 1192 msdcsc.exe Token: SeSecurityPrivilege 1192 msdcsc.exe Token: SeTakeOwnershipPrivilege 1192 msdcsc.exe Token: SeLoadDriverPrivilege 1192 msdcsc.exe Token: SeSystemProfilePrivilege 1192 msdcsc.exe Token: SeSystemtimePrivilege 1192 msdcsc.exe Token: SeProfSingleProcessPrivilege 1192 msdcsc.exe Token: SeIncBasePriorityPrivilege 1192 msdcsc.exe Token: SeCreatePagefilePrivilege 1192 msdcsc.exe Token: SeBackupPrivilege 1192 msdcsc.exe Token: SeRestorePrivilege 1192 msdcsc.exe Token: SeShutdownPrivilege 1192 msdcsc.exe Token: SeDebugPrivilege 1192 msdcsc.exe Token: SeSystemEnvironmentPrivilege 1192 msdcsc.exe Token: SeChangeNotifyPrivilege 1192 msdcsc.exe Token: SeRemoteShutdownPrivilege 1192 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2732 msdcsc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 4672 wrote to memory of 5004 4672 JaffaCakes118_96a686bb248a355f9a720d9bf61ef064.exe 88 PID 4672 wrote to memory of 5004 4672 JaffaCakes118_96a686bb248a355f9a720d9bf61ef064.exe 88 PID 4672 wrote to memory of 5004 4672 JaffaCakes118_96a686bb248a355f9a720d9bf61ef064.exe 88 PID 4672 wrote to memory of 5004 4672 JaffaCakes118_96a686bb248a355f9a720d9bf61ef064.exe 88 PID 4672 wrote to memory of 5004 4672 JaffaCakes118_96a686bb248a355f9a720d9bf61ef064.exe 88 PID 4672 wrote to memory of 5004 4672 JaffaCakes118_96a686bb248a355f9a720d9bf61ef064.exe 88 PID 4672 wrote to memory of 5004 4672 JaffaCakes118_96a686bb248a355f9a720d9bf61ef064.exe 88 PID 4672 wrote to memory of 5004 4672 JaffaCakes118_96a686bb248a355f9a720d9bf61ef064.exe 88 PID 4672 wrote to memory of 5004 4672 JaffaCakes118_96a686bb248a355f9a720d9bf61ef064.exe 88 PID 4672 wrote to memory of 5004 4672 JaffaCakes118_96a686bb248a355f9a720d9bf61ef064.exe 88 PID 4672 wrote to memory of 5004 4672 JaffaCakes118_96a686bb248a355f9a720d9bf61ef064.exe 88 PID 4672 wrote to memory of 5004 4672 JaffaCakes118_96a686bb248a355f9a720d9bf61ef064.exe 88 PID 4672 wrote to memory of 5004 4672 JaffaCakes118_96a686bb248a355f9a720d9bf61ef064.exe 88 PID 3460 wrote to memory of 3168 3460 cmd.exe 92 PID 3460 wrote to memory of 3168 3460 cmd.exe 92 PID 3460 wrote to memory of 3168 3460 cmd.exe 92 PID 5004 wrote to memory of 4732 5004 JaffaCakes118_96a686bb248a355f9a720d9bf61ef064.exe 93 PID 5004 wrote to memory of 4732 5004 JaffaCakes118_96a686bb248a355f9a720d9bf61ef064.exe 93 PID 5004 wrote to memory of 4732 5004 JaffaCakes118_96a686bb248a355f9a720d9bf61ef064.exe 93 PID 5004 wrote to memory of 724 5004 JaffaCakes118_96a686bb248a355f9a720d9bf61ef064.exe 94 PID 5004 wrote to memory of 724 5004 JaffaCakes118_96a686bb248a355f9a720d9bf61ef064.exe 94 PID 5004 wrote to memory of 724 5004 JaffaCakes118_96a686bb248a355f9a720d9bf61ef064.exe 94 PID 4732 wrote to memory of 680 4732 cmd.exe 97 PID 4732 wrote to memory of 680 4732 cmd.exe 97 PID 4732 wrote to memory of 680 4732 cmd.exe 97 PID 724 wrote to memory of 3340 724 cmd.exe 98 PID 724 wrote to memory of 3340 724 cmd.exe 98 PID 724 wrote to memory of 3340 724 cmd.exe 98 PID 3168 wrote to memory of 1476 3168 msdcsc.exe 99 PID 3168 wrote to memory of 1476 3168 msdcsc.exe 99 PID 3168 wrote to memory of 1476 3168 msdcsc.exe 99 PID 3168 wrote to memory of 1476 3168 msdcsc.exe 99 PID 3168 wrote to memory of 1476 3168 msdcsc.exe 99 PID 3168 wrote to memory of 1476 3168 msdcsc.exe 99 PID 3168 wrote to memory of 1476 3168 msdcsc.exe 99 PID 3168 wrote to memory of 1476 3168 msdcsc.exe 99 PID 3168 wrote to memory of 1476 3168 msdcsc.exe 99 PID 3168 wrote to memory of 1476 3168 msdcsc.exe 99 PID 3168 wrote to memory of 1476 3168 msdcsc.exe 99 PID 3168 wrote to memory of 1476 3168 msdcsc.exe 99 PID 3168 wrote to memory of 1476 3168 msdcsc.exe 99 PID 1476 wrote to memory of 4656 1476 msdcsc.exe 100 PID 1476 wrote to memory of 4656 1476 msdcsc.exe 100 PID 1476 wrote to memory of 4656 1476 msdcsc.exe 100 PID 1476 wrote to memory of 4656 1476 msdcsc.exe 100 PID 1476 wrote to memory of 4656 1476 msdcsc.exe 100 PID 5004 wrote to memory of 972 5004 JaffaCakes118_96a686bb248a355f9a720d9bf61ef064.exe 103 PID 5004 wrote to memory of 972 5004 JaffaCakes118_96a686bb248a355f9a720d9bf61ef064.exe 103 PID 5004 wrote to memory of 972 5004 JaffaCakes118_96a686bb248a355f9a720d9bf61ef064.exe 103 PID 5004 wrote to memory of 972 5004 JaffaCakes118_96a686bb248a355f9a720d9bf61ef064.exe 103 PID 5004 wrote to memory of 972 5004 JaffaCakes118_96a686bb248a355f9a720d9bf61ef064.exe 103 PID 5004 wrote to memory of 972 5004 JaffaCakes118_96a686bb248a355f9a720d9bf61ef064.exe 103 PID 5004 wrote to memory of 972 5004 JaffaCakes118_96a686bb248a355f9a720d9bf61ef064.exe 103 PID 5004 wrote to memory of 972 5004 JaffaCakes118_96a686bb248a355f9a720d9bf61ef064.exe 103 PID 5004 wrote to memory of 972 5004 JaffaCakes118_96a686bb248a355f9a720d9bf61ef064.exe 103 PID 5004 wrote to memory of 972 5004 JaffaCakes118_96a686bb248a355f9a720d9bf61ef064.exe 103 PID 5004 wrote to memory of 972 5004 JaffaCakes118_96a686bb248a355f9a720d9bf61ef064.exe 103 PID 5004 wrote to memory of 972 5004 JaffaCakes118_96a686bb248a355f9a720d9bf61ef064.exe 103 PID 5004 wrote to memory of 972 5004 JaffaCakes118_96a686bb248a355f9a720d9bf61ef064.exe 103 PID 5004 wrote to memory of 972 5004 JaffaCakes118_96a686bb248a355f9a720d9bf61ef064.exe 103 PID 5004 wrote to memory of 972 5004 JaffaCakes118_96a686bb248a355f9a720d9bf61ef064.exe 103 PID 5004 wrote to memory of 972 5004 JaffaCakes118_96a686bb248a355f9a720d9bf61ef064.exe 103 PID 5004 wrote to memory of 972 5004 JaffaCakes118_96a686bb248a355f9a720d9bf61ef064.exe 103 PID 924 wrote to memory of 4572 924 cmd.exe 104 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 680 attrib.exe 3340 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_96a686bb248a355f9a720d9bf61ef064.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_96a686bb248a355f9a720d9bf61ef064.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4672 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_96a686bb248a355f9a720d9bf61ef064.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_96a686bb248a355f9a720d9bf61ef064.exe2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:5004 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_96a686bb248a355f9a720d9bf61ef064.exe" +s +h3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4732 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_96a686bb248a355f9a720d9bf61ef064.exe" +s +h4⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:680
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:724 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h4⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:3340
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:972
-
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2868 -
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeC:\Users\Admin\Documents\MSDCSC\msdcsc.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of SetWindowsHookEx
PID:2732 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"5⤵PID:1128
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"5⤵PID:820
-
-
C:\Windows\SysWOW64\notepad.exenotepad5⤵
- System Location Discovery: System Language Discovery
PID:1256
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe1⤵
- Suspicious use of WriteProcessMemory
PID:3460 -
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeC:\Users\Admin\Documents\MSDCSC\msdcsc.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3168 -
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeC:\Users\Admin\Documents\MSDCSC\msdcsc.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1476 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"4⤵
- System Location Discovery: System Language Discovery
PID:4656 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"5⤵PID:2220
-
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe1⤵
- Suspicious use of WriteProcessMemory
PID:924 -
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeC:\Users\Admin\Documents\MSDCSC\msdcsc.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4572 -
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeC:\Users\Admin\Documents\MSDCSC\msdcsc.exe3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:1192 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"4⤵
- System Location Discovery: System Language Discovery
PID:4008
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe1⤵PID:2648
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeC:\Users\Admin\Documents\MSDCSC\msdcsc.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2944 -
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeC:\Users\Admin\Documents\MSDCSC\msdcsc.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1344
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe1⤵PID:4108
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeC:\Users\Admin\Documents\MSDCSC\msdcsc.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2336 -
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeC:\Users\Admin\Documents\MSDCSC\msdcsc.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4160
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe1⤵PID:3388
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeC:\Users\Admin\Documents\MSDCSC\msdcsc.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:680 -
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeC:\Users\Admin\Documents\MSDCSC\msdcsc.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3604
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe1⤵PID:3860
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeC:\Users\Admin\Documents\MSDCSC\msdcsc.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4800 -
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeC:\Users\Admin\Documents\MSDCSC\msdcsc.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4168
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe1⤵PID:540
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeC:\Users\Admin\Documents\MSDCSC\msdcsc.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4528 -
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeC:\Users\Admin\Documents\MSDCSC\msdcsc.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:384
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe1⤵PID:1720
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeC:\Users\Admin\Documents\MSDCSC\msdcsc.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1948 -
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeC:\Users\Admin\Documents\MSDCSC\msdcsc.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2000
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe1⤵PID:4664
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeC:\Users\Admin\Documents\MSDCSC\msdcsc.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3236 -
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeC:\Users\Admin\Documents\MSDCSC\msdcsc.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1464
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe1⤵PID:1580
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeC:\Users\Admin\Documents\MSDCSC\msdcsc.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2280 -
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeC:\Users\Admin\Documents\MSDCSC\msdcsc.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3512
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe1⤵PID:4020
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeC:\Users\Admin\Documents\MSDCSC\msdcsc.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:5112 -
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeC:\Users\Admin\Documents\MSDCSC\msdcsc.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4028
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe1⤵PID:1624
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeC:\Users\Admin\Documents\MSDCSC\msdcsc.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:5080 -
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeC:\Users\Admin\Documents\MSDCSC\msdcsc.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1652
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe1⤵PID:3860
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeC:\Users\Admin\Documents\MSDCSC\msdcsc.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:1048 -
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeC:\Users\Admin\Documents\MSDCSC\msdcsc.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3176
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe1⤵PID:3856
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeC:\Users\Admin\Documents\MSDCSC\msdcsc.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4884 -
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeC:\Users\Admin\Documents\MSDCSC\msdcsc.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4140
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe1⤵PID:4636
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeC:\Users\Admin\Documents\MSDCSC\msdcsc.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:4948 -
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeC:\Users\Admin\Documents\MSDCSC\msdcsc.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:1296
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe1⤵PID:1032
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeC:\Users\Admin\Documents\MSDCSC\msdcsc.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:376 -
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeC:\Users\Admin\Documents\MSDCSC\msdcsc.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2704
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe1⤵PID:5052
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeC:\Users\Admin\Documents\MSDCSC\msdcsc.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:3116 -
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeC:\Users\Admin\Documents\MSDCSC\msdcsc.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2640
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\MSDCSC\msdcsc.exe1⤵PID:4228
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeC:\Users\Admin\Documents\MSDCSC\msdcsc.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
PID:2136 -
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeC:\Users\Admin\Documents\MSDCSC\msdcsc.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3140
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
944KB
MD596a686bb248a355f9a720d9bf61ef064
SHA1b2a5177dfcdaa530c80f90f941de179ee2fb7b13
SHA2566738adf5533e75a138acd4a3529e06c684358e6357ed35032e2754f410bcb0fd
SHA5129f620190913834951e0374975554d15d00b596c15a9580fd81ad3301b76ba9387ceca3a7d261436d47178f848432a5e612584ab2f20a4d9aa4035f73ac0509a2