darkcomet | c1cea27e96c5a7cee8fbb07677994a06994c797104c84a22f87563621e9a2274

Analysis

max time kernel
118s
max time network
119s
platform
windows7_x64
resource
win7-20240611-en
resource tags

arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system
submitted
27-06-2024 21:07

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1787331fa3f89e5c542066c702026032_JaffaCakes118.exe
Size

667KB
MD5

1787331fa3f89e5c542066c702026032
SHA1

e0c6d3d7c959a4cdae9347ffc2f2715c0c548489
SHA256

c1cea27e96c5a7cee8fbb07677994a06994c797104c84a22f87563621e9a2274
SHA512

01547c8684f8b1eefd9d11084d43332d52fb5e41363f45946d3530ffed958053a3ee736d9438eb7f7da6b998dae14cd1b6a586c5308a24eccad411a16490e9ed
SSDEEP

12288:revgMsEPjD9BPde812W35dAOgrqet0k3D+EMVMKKcwHk0R8XTCAsQ429EcbxS:a4+PrMW35dAzq8rzBMqKKhHk06ueS

Score

10^/10

darkcomet guest16 persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

Guest16

qwerrewq.no-ip.biz:82

Mutex

DC_MUTEX-S1SQAX8

Attributes

InstallPath
MSDCSC\msdcsc.exe
gencode
TWVVSyXJvjJa
install
true
offline_keylogger
true
password
0987654321
persistence
true
reg_key
MicroUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 6 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

msdcsc.exe1787331fa3f89e5c542066c702026032_JaffaCakes118.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe,C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe"	msdcsc.exe

Deletes itself 1 IoCs

Processes:

notepad.exe

pid process

2204 notepad.exe
Executes dropped EXE 5 IoCs

Processes:

msdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exe

pid process

2788 msdcsc.exe
2300 msdcsc.exe
1880 msdcsc.exe
2456 msdcsc.exe
1068 msdcsc.exe

pid	process
2204	notepad.exe

pid	process
2788	msdcsc.exe
2300	msdcsc.exe
1880	msdcsc.exe
2456	msdcsc.exe
1068	msdcsc.exe

Loads dropped DLL 10 IoCs

Processes:

1787331fa3f89e5c542066c702026032_JaffaCakes118.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exe

pid	process
772	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe
772	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe
2788	msdcsc.exe
2788	msdcsc.exe
2300	msdcsc.exe
2300	msdcsc.exe
1880	msdcsc.exe
1880	msdcsc.exe
2456	msdcsc.exe
2456	msdcsc.exe

Molebox Virtualization software 1 IoCs
Detects file using Molebox Virtualization software.

Processes:

resource yara_rule

\Windows\SysWOW64\MSDCSC\msdcsc.exe molebox

resource	yara_rule
\Windows\SysWOW64\MSDCSC\msdcsc.exe	molebox

Adds Run key to start application 2 TTPs 6 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

msdcsc.exe1787331fa3f89e5c542066c702026032_JaffaCakes118.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe"	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\msdcsc.exe"	msdcsc.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\TWVVSyXJvjJa\\TWVVSyXJvjJa\\msdcsc.exe"	msdcsc.exe

Drops file in System32 directory 18 IoCs

Processes:

1787331fa3f89e5c542066c702026032_JaffaCakes118.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exemsdcsc.exe

description	ioc	process
File opened for modification	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe
File created	C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\TWVVSyXJvjJa\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\TWVVSyXJvjJa\	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\TWVVSyXJvjJa\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\msdcsc.exe	msdcsc.exe
File created	C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\TWVVSyXJvjJa\msdcsc.exe	msdcsc.exe
File opened for modification	C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\TWVVSyXJvjJa\msdcsc.exe	msdcsc.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082

Suspicious use of AdjustPrivilegeToken 64 IoCs

Processes:

1787331fa3f89e5c542066c702026032_JaffaCakes118.exemsdcsc.exemsdcsc.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	772	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe
Token: SeSecurityPrivilege	772	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	772	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	772	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	772	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe
Token: SeSystemtimePrivilege	772	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	772	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	772	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	772	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe
Token: SeBackupPrivilege	772	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe
Token: SeRestorePrivilege	772	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe
Token: SeShutdownPrivilege	772	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe
Token: SeDebugPrivilege	772	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	772	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	772	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	772	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe
Token: SeUndockPrivilege	772	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe
Token: SeManageVolumePrivilege	772	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe
Token: SeImpersonatePrivilege	772	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	772	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe
Token: 33	772	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe
Token: 34	772	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe
Token: 35	772	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2788	msdcsc.exe
Token: SeSecurityPrivilege	2788	msdcsc.exe
Token: SeTakeOwnershipPrivilege	2788	msdcsc.exe
Token: SeLoadDriverPrivilege	2788	msdcsc.exe
Token: SeSystemProfilePrivilege	2788	msdcsc.exe
Token: SeSystemtimePrivilege	2788	msdcsc.exe
Token: SeProfSingleProcessPrivilege	2788	msdcsc.exe
Token: SeIncBasePriorityPrivilege	2788	msdcsc.exe
Token: SeCreatePagefilePrivilege	2788	msdcsc.exe
Token: SeBackupPrivilege	2788	msdcsc.exe
Token: SeRestorePrivilege	2788	msdcsc.exe
Token: SeShutdownPrivilege	2788	msdcsc.exe
Token: SeDebugPrivilege	2788	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	2788	msdcsc.exe
Token: SeChangeNotifyPrivilege	2788	msdcsc.exe
Token: SeRemoteShutdownPrivilege	2788	msdcsc.exe
Token: SeUndockPrivilege	2788	msdcsc.exe
Token: SeManageVolumePrivilege	2788	msdcsc.exe
Token: SeImpersonatePrivilege	2788	msdcsc.exe
Token: SeCreateGlobalPrivilege	2788	msdcsc.exe
Token: 33	2788	msdcsc.exe
Token: 34	2788	msdcsc.exe
Token: 35	2788	msdcsc.exe
Token: SeIncreaseQuotaPrivilege	2300	msdcsc.exe
Token: SeSecurityPrivilege	2300	msdcsc.exe
Token: SeTakeOwnershipPrivilege	2300	msdcsc.exe
Token: SeLoadDriverPrivilege	2300	msdcsc.exe
Token: SeSystemProfilePrivilege	2300	msdcsc.exe
Token: SeSystemtimePrivilege	2300	msdcsc.exe
Token: SeProfSingleProcessPrivilege	2300	msdcsc.exe
Token: SeIncBasePriorityPrivilege	2300	msdcsc.exe
Token: SeCreatePagefilePrivilege	2300	msdcsc.exe
Token: SeBackupPrivilege	2300	msdcsc.exe
Token: SeRestorePrivilege	2300	msdcsc.exe
Token: SeShutdownPrivilege	2300	msdcsc.exe
Token: SeDebugPrivilege	2300	msdcsc.exe
Token: SeSystemEnvironmentPrivilege	2300	msdcsc.exe
Token: SeChangeNotifyPrivilege	2300	msdcsc.exe
Token: SeRemoteShutdownPrivilege	2300	msdcsc.exe
Token: SeUndockPrivilege	2300	msdcsc.exe
Token: SeManageVolumePrivilege	2300	msdcsc.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1787331fa3f89e5c542066c702026032_JaffaCakes118.exemsdcsc.exemsdcsc.exe

description	pid	process	target process
PID 772 wrote to memory of 2204	772	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe	notepad.exe
PID 772 wrote to memory of 2204	772	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe	notepad.exe
PID 772 wrote to memory of 2204	772	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe	notepad.exe
PID 772 wrote to memory of 2204	772	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe	notepad.exe
PID 772 wrote to memory of 2204	772	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe	notepad.exe
PID 772 wrote to memory of 2204	772	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe	notepad.exe
PID 772 wrote to memory of 2204	772	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe	notepad.exe
PID 772 wrote to memory of 2204	772	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe	notepad.exe
PID 772 wrote to memory of 2204	772	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe	notepad.exe
PID 772 wrote to memory of 2204	772	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe	notepad.exe
PID 772 wrote to memory of 2204	772	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe	notepad.exe
PID 772 wrote to memory of 2204	772	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe	notepad.exe
PID 772 wrote to memory of 2204	772	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe	notepad.exe
PID 772 wrote to memory of 2204	772	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe	notepad.exe
PID 772 wrote to memory of 2204	772	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe	notepad.exe
PID 772 wrote to memory of 2204	772	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe	notepad.exe
PID 772 wrote to memory of 2204	772	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe	notepad.exe
PID 772 wrote to memory of 2204	772	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe	notepad.exe
PID 772 wrote to memory of 2788	772	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe	msdcsc.exe
PID 772 wrote to memory of 2788	772	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe	msdcsc.exe
PID 772 wrote to memory of 2788	772	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe	msdcsc.exe
PID 772 wrote to memory of 2788	772	1787331fa3f89e5c542066c702026032_JaffaCakes118.exe	msdcsc.exe
PID 2788 wrote to memory of 2584	2788	msdcsc.exe	notepad.exe
PID 2788 wrote to memory of 2584	2788	msdcsc.exe	notepad.exe
PID 2788 wrote to memory of 2584	2788	msdcsc.exe	notepad.exe
PID 2788 wrote to memory of 2584	2788	msdcsc.exe	notepad.exe
PID 2788 wrote to memory of 2584	2788	msdcsc.exe	notepad.exe
PID 2788 wrote to memory of 2584	2788	msdcsc.exe	notepad.exe
PID 2788 wrote to memory of 2584	2788	msdcsc.exe	notepad.exe
PID 2788 wrote to memory of 2584	2788	msdcsc.exe	notepad.exe
PID 2788 wrote to memory of 2584	2788	msdcsc.exe	notepad.exe
PID 2788 wrote to memory of 2584	2788	msdcsc.exe	notepad.exe
PID 2788 wrote to memory of 2584	2788	msdcsc.exe	notepad.exe
PID 2788 wrote to memory of 2584	2788	msdcsc.exe	notepad.exe
PID 2788 wrote to memory of 2584	2788	msdcsc.exe	notepad.exe
PID 2788 wrote to memory of 2584	2788	msdcsc.exe	notepad.exe
PID 2788 wrote to memory of 2584	2788	msdcsc.exe	notepad.exe
PID 2788 wrote to memory of 2584	2788	msdcsc.exe	notepad.exe
PID 2788 wrote to memory of 2584	2788	msdcsc.exe	notepad.exe
PID 2788 wrote to memory of 2584	2788	msdcsc.exe	notepad.exe
PID 2788 wrote to memory of 2300	2788	msdcsc.exe	msdcsc.exe
PID 2788 wrote to memory of 2300	2788	msdcsc.exe	msdcsc.exe
PID 2788 wrote to memory of 2300	2788	msdcsc.exe	msdcsc.exe
PID 2788 wrote to memory of 2300	2788	msdcsc.exe	msdcsc.exe
PID 2300 wrote to memory of 2508	2300	msdcsc.exe	notepad.exe
PID 2300 wrote to memory of 2508	2300	msdcsc.exe	notepad.exe
PID 2300 wrote to memory of 2508	2300	msdcsc.exe	notepad.exe
PID 2300 wrote to memory of 2508	2300	msdcsc.exe	notepad.exe
PID 2300 wrote to memory of 2508	2300	msdcsc.exe	notepad.exe
PID 2300 wrote to memory of 2508	2300	msdcsc.exe	notepad.exe
PID 2300 wrote to memory of 2508	2300	msdcsc.exe	notepad.exe
PID 2300 wrote to memory of 2508	2300	msdcsc.exe	notepad.exe
PID 2300 wrote to memory of 2508	2300	msdcsc.exe	notepad.exe
PID 2300 wrote to memory of 2508	2300	msdcsc.exe	notepad.exe
PID 2300 wrote to memory of 2508	2300	msdcsc.exe	notepad.exe
PID 2300 wrote to memory of 2508	2300	msdcsc.exe	notepad.exe
PID 2300 wrote to memory of 2508	2300	msdcsc.exe	notepad.exe
PID 2300 wrote to memory of 2508	2300	msdcsc.exe	notepad.exe
PID 2300 wrote to memory of 2508	2300	msdcsc.exe	notepad.exe
PID 2300 wrote to memory of 2508	2300	msdcsc.exe	notepad.exe
PID 2300 wrote to memory of 2508	2300	msdcsc.exe	notepad.exe
PID 2300 wrote to memory of 2508	2300	msdcsc.exe	notepad.exe
PID 2300 wrote to memory of 1880	2300	msdcsc.exe	msdcsc.exe
PID 2300 wrote to memory of 1880	2300	msdcsc.exe	msdcsc.exe

C:\Users\Admin\AppData\Local\Temp\1787331fa3f89e5c542066c702026032_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1787331fa3f89e5c542066c702026032_JaffaCakes118.exe"
1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:772

C:\Windows\SysWOW64\notepad.exe
notepad
2⤵
- Deletes itself
PID:2204

C:\Windows\SysWOW64\MSDCSC\msdcsc.exe
"C:\Windows\system32\MSDCSC\msdcsc.exe"
2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2788

C:\Windows\SysWOW64\notepad.exe
notepad
3⤵
PID:2584

C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\msdcsc.exe
"C:\Windows\system32\MSDCSC\TWVVSyXJvjJa\msdcsc.exe"
3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2300

C:\Windows\SysWOW64\notepad.exe
notepad
4⤵
PID:2508

C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\TWVVSyXJvjJa\msdcsc.exe
"C:\Windows\system32\MSDCSC\TWVVSyXJvjJa\TWVVSyXJvjJa\msdcsc.exe"
4⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:1880

C:\Windows\SysWOW64\notepad.exe
notepad
5⤵
PID:2324

C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\msdcsc.exe
"C:\Windows\system32\MSDCSC\TWVVSyXJvjJa\msdcsc.exe"
5⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
PID:2456

C:\Windows\SysWOW64\notepad.exe
notepad
6⤵
PID:2388

C:\Windows\SysWOW64\MSDCSC\TWVVSyXJvjJa\TWVVSyXJvjJa\msdcsc.exe
"C:\Windows\system32\MSDCSC\TWVVSyXJvjJa\TWVVSyXJvjJa\msdcsc.exe"
6⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Adds Run key to start application
- Drops file in System32 directory
PID:1068

C:\Windows\SysWOW64\notepad.exe
notepad
7⤵
PID:1820

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads

\Windows\SysWOW64\MSDCSC\msdcsc.exe
Filesize
667KB

MD5
1787331fa3f89e5c542066c702026032

SHA1
e0c6d3d7c959a4cdae9347ffc2f2715c0c548489

SHA256
c1cea27e96c5a7cee8fbb07677994a06994c797104c84a22f87563621e9a2274

SHA512
01547c8684f8b1eefd9d11084d43332d52fb5e41363f45946d3530ffed958053a3ee736d9438eb7f7da6b998dae14cd1b6a586c5308a24eccad411a16490e9ed

Download Submit
memory/772-39-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/772-5-0x00000000770C1000-0x00000000770C2000-memory.dmp

Filesize
4KB

Download
memory/772-4-0x00000000778C0000-0x00000000778C1000-memory.dmp

Filesize
4KB

Download
memory/772-3-0x0000000001F60000-0x0000000001F70000-memory.dmp

Filesize
64KB

Download
memory/772-1-0x0000000000240000-0x0000000000241000-memory.dmp

Filesize
4KB

Download
memory/772-0-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/772-6-0x00000000770B0000-0x00000000771C0000-memory.dmp

Filesize
1.1MB

Download
memory/772-7-0x00000000770B0000-0x00000000771C0000-memory.dmp

Filesize
1.1MB

Download
memory/772-40-0x0000000000500000-0x000000000054E000-memory.dmp

Filesize
312KB

Download
memory/772-42-0x00000000770B0000-0x00000000771C0000-memory.dmp

Filesize
1.1MB

Download
memory/772-2-0x0000000000500000-0x000000000054E000-memory.dmp

Filesize
312KB

Download
memory/2204-31-0x00000000770B0000-0x00000000771C0000-memory.dmp

Filesize
1.1MB

Download
memory/2204-29-0x00000000001E0000-0x00000000001E1000-memory.dmp

Filesize
4KB

Download
memory/2204-10-0x0000000000080000-0x0000000000081000-memory.dmp

Filesize
4KB

Download
memory/2204-91-0x00000000770B0000-0x00000000771C0000-memory.dmp

Filesize
1.1MB

Download
memory/2300-89-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2788-46-0x00000000770B0000-0x00000000771C0000-memory.dmp

Filesize
1.1MB

Download
memory/2788-45-0x00000000770B0000-0x00000000771C0000-memory.dmp

Filesize
1.1MB

Download
memory/2788-44-0x00000000770B0000-0x00000000771C0000-memory.dmp

Filesize
1.1MB

Download
memory/2788-43-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2788-85-0x0000000000400000-0x00000000004F3000-memory.dmp

Filesize
972KB

Download
memory/2788-86-0x00000000770B0000-0x00000000771C0000-memory.dmp

Filesize
1.1MB

Download

Analysis

Sharing

General

Malware Config

Extracted

Signatures

Processes

Network

MITRE ATT&CK Matrix ATT&CK v13

Replay Monitor

Loading Replay Monitor...

Downloads