Analysis
-
max time kernel
148s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20250410-en -
resource tags
arch:x64arch:x86image:win10v2004-20250410-enlocale:en-usos:windows10-2004-x64system -
submitted
17/04/2025, 22:18
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
JaffaCakes118_bb644d9d074bc7ed49fe48e8da82b40c.exe
Resource
win10v2004-20250410-en
windows10-2004-x64
15 signatures
150 seconds
Behavioral task
behavioral2
Sample
JaffaCakes118_bb644d9d074bc7ed49fe48e8da82b40c.exe
Resource
win11-20250410-en
windows11-21h2-x64
20 signatures
150 seconds
General
-
Target
JaffaCakes118_bb644d9d074bc7ed49fe48e8da82b40c.exe
-
Size
722KB
-
MD5
bb644d9d074bc7ed49fe48e8da82b40c
-
SHA1
4a37c9123958c179a6b107571b7468a99c4bbf96
-
SHA256
243742280dab2a4f0cb78465e95d53009b4f3f942a88e87d7c08471407565f42
-
SHA512
c7189f330b32c3a562ed0cc4cc694387336431d409692ecad78dd8e20e2eb6344c31eaaf319487b0237fe445db13baac0a237c31d999740ae7abb66f23206a3b
-
SSDEEP
12288:jrwYAI1xDr3gPVFoSXfKyOEN2mYmlQ0KKe5aHWkEBobJaOYs+C9jZKOQk8Ndd9l:4Nk9rwPVF9KyOEgTmBe5rBoqsxlZW
Malware Config
Extracted
Family
darkcomet
Botnet
Guest16_min
C2
127.0.0.1:1604
Mutex
DCMIN_MUTEX-J3AF8JW
Attributes
-
InstallPath
DCSCMIN\IMDCSC.exe
-
gencode
twsPYC9MBUcZ
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
DarkComet RAT
rc4.plain
Signatures
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe" JaffaCakes118_bb644d9d074bc7ed49fe48e8da82b40c.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Control Panel\International\Geo\Nation JaffaCakes118_bb644d9d074bc7ed49fe48e8da82b40c.exe -
Executes dropped EXE 4 IoCs
pid Process 404 IMDCSC.exe 5080 IMDCSC.exe 4416 IMDCSC.exe 2724 IMDCSC.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkComet RAT = "C:\\Users\\Admin\\Documents\\DCSCMIN\\IMDCSC.exe" JaffaCakes118_bb644d9d074bc7ed49fe48e8da82b40c.exe -
Suspicious use of SetThreadContext 6 IoCs
description pid Process procid_target PID 3088 set thread context of 1132 3088 JaffaCakes118_bb644d9d074bc7ed49fe48e8da82b40c.exe 87 PID 3088 set thread context of 1604 3088 JaffaCakes118_bb644d9d074bc7ed49fe48e8da82b40c.exe 89 PID 5080 set thread context of 4424 5080 IMDCSC.exe 94 PID 404 set thread context of 4492 404 IMDCSC.exe 95 PID 5080 set thread context of 4416 5080 IMDCSC.exe 98 PID 404 set thread context of 2724 404 IMDCSC.exe 99 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IMDCSC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IMDCSC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IMDCSC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IMDCSC.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_bb644d9d074bc7ed49fe48e8da82b40c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_bb644d9d074bc7ed49fe48e8da82b40c.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IEXPLORE.EXE -
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\NextUpdateDate = "451693266" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Software\Microsoft\Internet Explorer\Main\WindowsSearch iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Set value (data) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff3e0000003e000000c4040000a3020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\AdminActive\{D863803B-1BD9-11F0-A5C7-7E1C71F105D9} = "0" iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff2400000024000000aa04000089020000 iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Software\Microsoft\Internet Explorer\GPU IEXPLORE.EXE Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Internet Explorer\GPU\AdapterInfo = "vendorId=\"0x10de\",deviceID=\"0x8c\",subSysID=\"0x0\",revision=\"0x0\",version=\"10.0.19041.546\"hypervisor=\"No Hypervisor (No SLAT)\"" IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\CompatibilityFlags = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Software\Microsoft\Internet Explorer\Recovery\AdminActive iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\WindowsSearch\Version = "WS not running" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Software\Microsoft\Internet Explorer\Main IEXPLORE.EXE Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Software\Microsoft\Internet Explorer\DomainSuggestion\FileNames\ iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Software\Microsoft\Internet Explorer\DomainSuggestion iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\FullScreen = "no" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Software\Microsoft\Internet Explorer\Recovery\PendingRecovery iexplore.exe Set value (int) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Internet Explorer\Recovery\PendingRecovery\AdminActive = "0" iexplore.exe Key created \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\Software\Microsoft\Internet Explorer\Main iexplore.exe Set value (data) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Internet Explorer\Main\Window_Placement = 2c0000000200000003000000ffffffffffffffffffffffffffffffff5800000000000000de04000065020000 iexplore.exe Set value (str) \REGISTRY\USER\S-1-5-21-2645532622-3298555945-705856666-1000\SOFTWARE\Microsoft\Internet Explorer\DomainSuggestion\FileNames\en-US = "en-US.1" iexplore.exe -
Suspicious behavior: EnumeratesProcesses 6 IoCs
pid Process 3088 JaffaCakes118_bb644d9d074bc7ed49fe48e8da82b40c.exe 3088 JaffaCakes118_bb644d9d074bc7ed49fe48e8da82b40c.exe 5080 IMDCSC.exe 5080 IMDCSC.exe 404 IMDCSC.exe 404 IMDCSC.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1604 JaffaCakes118_bb644d9d074bc7ed49fe48e8da82b40c.exe Token: SeSecurityPrivilege 1604 JaffaCakes118_bb644d9d074bc7ed49fe48e8da82b40c.exe Token: SeTakeOwnershipPrivilege 1604 JaffaCakes118_bb644d9d074bc7ed49fe48e8da82b40c.exe Token: SeLoadDriverPrivilege 1604 JaffaCakes118_bb644d9d074bc7ed49fe48e8da82b40c.exe Token: SeSystemProfilePrivilege 1604 JaffaCakes118_bb644d9d074bc7ed49fe48e8da82b40c.exe Token: SeSystemtimePrivilege 1604 JaffaCakes118_bb644d9d074bc7ed49fe48e8da82b40c.exe Token: SeProfSingleProcessPrivilege 1604 JaffaCakes118_bb644d9d074bc7ed49fe48e8da82b40c.exe Token: SeIncBasePriorityPrivilege 1604 JaffaCakes118_bb644d9d074bc7ed49fe48e8da82b40c.exe Token: SeCreatePagefilePrivilege 1604 JaffaCakes118_bb644d9d074bc7ed49fe48e8da82b40c.exe Token: SeBackupPrivilege 1604 JaffaCakes118_bb644d9d074bc7ed49fe48e8da82b40c.exe Token: SeRestorePrivilege 1604 JaffaCakes118_bb644d9d074bc7ed49fe48e8da82b40c.exe Token: SeShutdownPrivilege 1604 JaffaCakes118_bb644d9d074bc7ed49fe48e8da82b40c.exe Token: SeDebugPrivilege 1604 JaffaCakes118_bb644d9d074bc7ed49fe48e8da82b40c.exe Token: SeSystemEnvironmentPrivilege 1604 JaffaCakes118_bb644d9d074bc7ed49fe48e8da82b40c.exe Token: SeChangeNotifyPrivilege 1604 JaffaCakes118_bb644d9d074bc7ed49fe48e8da82b40c.exe Token: SeRemoteShutdownPrivilege 1604 JaffaCakes118_bb644d9d074bc7ed49fe48e8da82b40c.exe Token: SeUndockPrivilege 1604 JaffaCakes118_bb644d9d074bc7ed49fe48e8da82b40c.exe Token: SeManageVolumePrivilege 1604 JaffaCakes118_bb644d9d074bc7ed49fe48e8da82b40c.exe Token: SeImpersonatePrivilege 1604 JaffaCakes118_bb644d9d074bc7ed49fe48e8da82b40c.exe Token: SeCreateGlobalPrivilege 1604 JaffaCakes118_bb644d9d074bc7ed49fe48e8da82b40c.exe Token: 33 1604 JaffaCakes118_bb644d9d074bc7ed49fe48e8da82b40c.exe Token: 34 1604 JaffaCakes118_bb644d9d074bc7ed49fe48e8da82b40c.exe Token: 35 1604 JaffaCakes118_bb644d9d074bc7ed49fe48e8da82b40c.exe Token: 36 1604 JaffaCakes118_bb644d9d074bc7ed49fe48e8da82b40c.exe Token: SeIncreaseQuotaPrivilege 4416 IMDCSC.exe Token: SeSecurityPrivilege 4416 IMDCSC.exe Token: SeTakeOwnershipPrivilege 4416 IMDCSC.exe Token: SeLoadDriverPrivilege 4416 IMDCSC.exe Token: SeSystemProfilePrivilege 4416 IMDCSC.exe Token: SeSystemtimePrivilege 4416 IMDCSC.exe Token: SeProfSingleProcessPrivilege 4416 IMDCSC.exe Token: SeIncBasePriorityPrivilege 4416 IMDCSC.exe Token: SeCreatePagefilePrivilege 4416 IMDCSC.exe Token: SeBackupPrivilege 4416 IMDCSC.exe Token: SeRestorePrivilege 4416 IMDCSC.exe Token: SeShutdownPrivilege 4416 IMDCSC.exe Token: SeDebugPrivilege 4416 IMDCSC.exe Token: SeSystemEnvironmentPrivilege 4416 IMDCSC.exe Token: SeChangeNotifyPrivilege 4416 IMDCSC.exe Token: SeRemoteShutdownPrivilege 4416 IMDCSC.exe Token: SeUndockPrivilege 4416 IMDCSC.exe Token: SeManageVolumePrivilege 4416 IMDCSC.exe Token: SeImpersonatePrivilege 4416 IMDCSC.exe Token: SeCreateGlobalPrivilege 4416 IMDCSC.exe Token: 33 4416 IMDCSC.exe Token: 34 4416 IMDCSC.exe Token: 35 4416 IMDCSC.exe Token: 36 4416 IMDCSC.exe Token: SeIncreaseQuotaPrivilege 2724 IMDCSC.exe Token: SeSecurityPrivilege 2724 IMDCSC.exe Token: SeTakeOwnershipPrivilege 2724 IMDCSC.exe Token: SeLoadDriverPrivilege 2724 IMDCSC.exe Token: SeSystemProfilePrivilege 2724 IMDCSC.exe Token: SeSystemtimePrivilege 2724 IMDCSC.exe Token: SeProfSingleProcessPrivilege 2724 IMDCSC.exe Token: SeIncBasePriorityPrivilege 2724 IMDCSC.exe Token: SeCreatePagefilePrivilege 2724 IMDCSC.exe Token: SeBackupPrivilege 2724 IMDCSC.exe Token: SeRestorePrivilege 2724 IMDCSC.exe Token: SeShutdownPrivilege 2724 IMDCSC.exe Token: SeDebugPrivilege 2724 IMDCSC.exe Token: SeSystemEnvironmentPrivilege 2724 IMDCSC.exe Token: SeChangeNotifyPrivilege 2724 IMDCSC.exe Token: SeRemoteShutdownPrivilege 2724 IMDCSC.exe -
Suspicious use of FindShellTrayWindow 3 IoCs
pid Process 1132 iexplore.exe 1132 iexplore.exe 1132 iexplore.exe -
Suspicious use of SetWindowsHookEx 15 IoCs
pid Process 1132 iexplore.exe 1132 iexplore.exe 1128 IEXPLORE.EXE 1128 IEXPLORE.EXE 1132 iexplore.exe 1132 iexplore.exe 1132 iexplore.exe 1132 iexplore.exe 4744 IEXPLORE.EXE 4744 IEXPLORE.EXE 4736 IEXPLORE.EXE 4736 IEXPLORE.EXE 4416 IMDCSC.exe 4744 IEXPLORE.EXE 4744 IEXPLORE.EXE -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 3088 wrote to memory of 1132 3088 JaffaCakes118_bb644d9d074bc7ed49fe48e8da82b40c.exe 87 PID 3088 wrote to memory of 1132 3088 JaffaCakes118_bb644d9d074bc7ed49fe48e8da82b40c.exe 87 PID 3088 wrote to memory of 1132 3088 JaffaCakes118_bb644d9d074bc7ed49fe48e8da82b40c.exe 87 PID 3088 wrote to memory of 1132 3088 JaffaCakes118_bb644d9d074bc7ed49fe48e8da82b40c.exe 87 PID 3088 wrote to memory of 1132 3088 JaffaCakes118_bb644d9d074bc7ed49fe48e8da82b40c.exe 87 PID 3088 wrote to memory of 1132 3088 JaffaCakes118_bb644d9d074bc7ed49fe48e8da82b40c.exe 87 PID 3088 wrote to memory of 1132 3088 JaffaCakes118_bb644d9d074bc7ed49fe48e8da82b40c.exe 87 PID 3088 wrote to memory of 1132 3088 JaffaCakes118_bb644d9d074bc7ed49fe48e8da82b40c.exe 87 PID 3088 wrote to memory of 1132 3088 JaffaCakes118_bb644d9d074bc7ed49fe48e8da82b40c.exe 87 PID 3088 wrote to memory of 1132 3088 JaffaCakes118_bb644d9d074bc7ed49fe48e8da82b40c.exe 87 PID 3088 wrote to memory of 1132 3088 JaffaCakes118_bb644d9d074bc7ed49fe48e8da82b40c.exe 87 PID 3088 wrote to memory of 1132 3088 JaffaCakes118_bb644d9d074bc7ed49fe48e8da82b40c.exe 87 PID 1132 wrote to memory of 1128 1132 iexplore.exe 88 PID 1132 wrote to memory of 1128 1132 iexplore.exe 88 PID 1132 wrote to memory of 1128 1132 iexplore.exe 88 PID 3088 wrote to memory of 1604 3088 JaffaCakes118_bb644d9d074bc7ed49fe48e8da82b40c.exe 89 PID 3088 wrote to memory of 1604 3088 JaffaCakes118_bb644d9d074bc7ed49fe48e8da82b40c.exe 89 PID 3088 wrote to memory of 1604 3088 JaffaCakes118_bb644d9d074bc7ed49fe48e8da82b40c.exe 89 PID 3088 wrote to memory of 1604 3088 JaffaCakes118_bb644d9d074bc7ed49fe48e8da82b40c.exe 89 PID 3088 wrote to memory of 1604 3088 JaffaCakes118_bb644d9d074bc7ed49fe48e8da82b40c.exe 89 PID 3088 wrote to memory of 1604 3088 JaffaCakes118_bb644d9d074bc7ed49fe48e8da82b40c.exe 89 PID 3088 wrote to memory of 1604 3088 JaffaCakes118_bb644d9d074bc7ed49fe48e8da82b40c.exe 89 PID 3088 wrote to memory of 1604 3088 JaffaCakes118_bb644d9d074bc7ed49fe48e8da82b40c.exe 89 PID 3088 wrote to memory of 1604 3088 JaffaCakes118_bb644d9d074bc7ed49fe48e8da82b40c.exe 89 PID 3088 wrote to memory of 1604 3088 JaffaCakes118_bb644d9d074bc7ed49fe48e8da82b40c.exe 89 PID 3088 wrote to memory of 1604 3088 JaffaCakes118_bb644d9d074bc7ed49fe48e8da82b40c.exe 89 PID 3088 wrote to memory of 1604 3088 JaffaCakes118_bb644d9d074bc7ed49fe48e8da82b40c.exe 89 PID 3088 wrote to memory of 1604 3088 JaffaCakes118_bb644d9d074bc7ed49fe48e8da82b40c.exe 89 PID 3088 wrote to memory of 1604 3088 JaffaCakes118_bb644d9d074bc7ed49fe48e8da82b40c.exe 89 PID 1604 wrote to memory of 404 1604 JaffaCakes118_bb644d9d074bc7ed49fe48e8da82b40c.exe 92 PID 1604 wrote to memory of 404 1604 JaffaCakes118_bb644d9d074bc7ed49fe48e8da82b40c.exe 92 PID 1604 wrote to memory of 404 1604 JaffaCakes118_bb644d9d074bc7ed49fe48e8da82b40c.exe 92 PID 560 wrote to memory of 5080 560 cmd.exe 93 PID 560 wrote to memory of 5080 560 cmd.exe 93 PID 560 wrote to memory of 5080 560 cmd.exe 93 PID 5080 wrote to memory of 4424 5080 IMDCSC.exe 94 PID 5080 wrote to memory of 4424 5080 IMDCSC.exe 94 PID 5080 wrote to memory of 4424 5080 IMDCSC.exe 94 PID 5080 wrote to memory of 4424 5080 IMDCSC.exe 94 PID 5080 wrote to memory of 4424 5080 IMDCSC.exe 94 PID 5080 wrote to memory of 4424 5080 IMDCSC.exe 94 PID 5080 wrote to memory of 4424 5080 IMDCSC.exe 94 PID 5080 wrote to memory of 4424 5080 IMDCSC.exe 94 PID 5080 wrote to memory of 4424 5080 IMDCSC.exe 94 PID 5080 wrote to memory of 4424 5080 IMDCSC.exe 94 PID 5080 wrote to memory of 4424 5080 IMDCSC.exe 94 PID 5080 wrote to memory of 4424 5080 IMDCSC.exe 94 PID 404 wrote to memory of 4492 404 IMDCSC.exe 95 PID 404 wrote to memory of 4492 404 IMDCSC.exe 95 PID 404 wrote to memory of 4492 404 IMDCSC.exe 95 PID 404 wrote to memory of 4492 404 IMDCSC.exe 95 PID 404 wrote to memory of 4492 404 IMDCSC.exe 95 PID 404 wrote to memory of 4492 404 IMDCSC.exe 95 PID 404 wrote to memory of 4492 404 IMDCSC.exe 95 PID 404 wrote to memory of 4492 404 IMDCSC.exe 95 PID 404 wrote to memory of 4492 404 IMDCSC.exe 95 PID 404 wrote to memory of 4492 404 IMDCSC.exe 95 PID 404 wrote to memory of 4492 404 IMDCSC.exe 95 PID 404 wrote to memory of 4492 404 IMDCSC.exe 95 PID 1132 wrote to memory of 4736 1132 iexplore.exe 96 PID 1132 wrote to memory of 4736 1132 iexplore.exe 96 PID 1132 wrote to memory of 4736 1132 iexplore.exe 96 PID 1132 wrote to memory of 4744 1132 iexplore.exe 97 PID 1132 wrote to memory of 4744 1132 iexplore.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb644d9d074bc7ed49fe48e8da82b40c.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb644d9d074bc7ed49fe48e8da82b40c.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:3088 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"2⤵
- Modifies Internet Explorer settings
- Suspicious use of FindShellTrayWindow
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1132 -
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1132 CREDAT:17410 /prefetch:23⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:1128
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1132 CREDAT:82948 /prefetch:23⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4736
-
-
C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE"C:\Program Files (x86)\Internet Explorer\IEXPLORE.EXE" SCODEF:1132 CREDAT:17412 /prefetch:23⤵
- System Location Discovery: System Language Discovery
- Modifies Internet Explorer settings
- Suspicious use of SetWindowsHookEx
PID:4744
-
-
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb644d9d074bc7ed49fe48e8da82b40c.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_bb644d9d074bc7ed49fe48e8da82b40c.exe2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1604 -
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:404 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"4⤵
- Modifies Internet Explorer settings
PID:4492
-
-
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exeC:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe4⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2724
-
-
-
-
C:\Windows\system32\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe1⤵
- Suspicious use of WriteProcessMemory
PID:560 -
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exeC:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
PID:5080 -
C:\Program Files\Internet Explorer\iexplore.exe"C:\Program Files\Internet Explorer\iexplore.exe"3⤵
- Modifies Internet Explorer settings
PID:4424
-
-
C:\Users\Admin\Documents\DCSCMIN\IMDCSC.exeC:\Users\Admin\Documents\DCSCMIN\IMDCSC.exe3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4416
-
-
Network
MITRE ATT&CK Enterprise v16
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\Content\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187
Filesize471B
MD50632c98a0b7882e2629d1bacc0066122
SHA151475e3243536402ebf857debc0ef0d784fc23f7
SHA256f6cdd0d6cd1b9e9c32b75493f8d151a8f3af0074c5815185a27bb9e5d20a27f5
SHA512b86f2740de8139222e1686df06dbce04c641df3cad1a6c2b167908b767f3ba0f7696db6d77c18d6dc8071b81bdb5d04cb560998f97c66b58adfa8bbbe6305638
-
C:\Users\Admin\AppData\LocalLow\Microsoft\CryptnetUrlCache\MetaData\E2C6CBAF0AF08CF203BA74BF0D0AB6D5_363582827213C09529A76F35FB615187
Filesize412B
MD5cb2c5a75138a184cc731af344f0fdb02
SHA15fe9ee55572cb41a432dbc209b799a0c4a1b32bf
SHA25626b44d4f52d73ccd0add32c7919d9121bf2594aa4bcf6b8c476862b24c02b4d4
SHA512ffcc3151467bf5d114f0e04673a326fa99d31a6f66b06e7da71589eb93df335989cd9123fcba5f3a11af917f9a7322b4f85f1ed9c2f0fd66edd72db80c3d3c77
-
Filesize
17KB
MD55a34cb996293fde2cb7a4ac89587393a
SHA13c96c993500690d1a77873cd62bc639b3a10653f
SHA256c6a5377cbc07eece33790cfc70572e12c7a48ad8296be25c0cc805a1f384dbad
SHA512e1b7d0107733f81937415104e70f68b1be6fd0ca65dccf4ff72637943d44278d3a77f704aedff59d2dbc0d56a609b2590c8ec0dd6bc48ab30f1dad0c07a0a3ee
-
Filesize
722KB
MD5bb644d9d074bc7ed49fe48e8da82b40c
SHA14a37c9123958c179a6b107571b7468a99c4bbf96
SHA256243742280dab2a4f0cb78465e95d53009b4f3f942a88e87d7c08471407565f42
SHA512c7189f330b32c3a562ed0cc4cc694387336431d409692ecad78dd8e20e2eb6344c31eaaf319487b0237fe445db13baac0a237c31d999740ae7abb66f23206a3b