darkcomet | 4b259a4d6a566836a4e511b7ca5d0bd5775360fd52eaf89b03035d4e602431c5

Analysis

max time kernel
151s
max time network
153s
platform
windows10-2004_x64
resource
win10v2004-20240226-en
resource tags

arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system
submitted
28-06-2024 00:19

Sharing

Copy URL

Twitter E-mail

Report Analysis Logs

General

Target

1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe
Size

1.3MB
MD5

1816dd0f974fecd01a3aee390593de19
SHA1

67c477675af6dfd5fca81669a58daae9fa8ddc8c
SHA256

4b259a4d6a566836a4e511b7ca5d0bd5775360fd52eaf89b03035d4e602431c5
SHA512

2488732d171cbd43f283cf423d493b1294439a5a4e200b6454a24267eb8f2a815058ef4798c16198b9b6bd4dbbb5442adaf103f483b02935b098bd9fa5fe966a
SSDEEP

24576:KdWfwUBOzQKW8d4UR/tqhnyMIo0eyauZUKctbFPZX46fJ6dVUqhkNvaWJ6Uq:q0p6pR/mndIoxyPU/btmVUqyRTq

Score

10^/10

darkcomet metin2-gio evasion persistence rat trojan

Malware Config

Extracted

Family

darkcomet

Botnet

metin2-gio

127.0.0.1:1604

hepter.dyndns.biz:8211

hepter.no-ip.org:8211

127.0.0.1:8211

Mutex

DC_MUTEX-C50UDX6

Attributes

InstallPath
Resimlerim\Profiles\chrome.exe
gencode
ja8PAQUAvm4V
install
true
offline_keylogger
true
password
hepter
persistence
true
reg_key
GoogleUpdate

Signatures

Darkcomet
DarkComet is a remote access trojan (RAT) developed by Jean-Pierre Lesueur.
trojan rat darkcomet

Modifies WinLogon for persistence 2 TTPs 1 IoCs

persistence

Winlogon Helper DLL

T1547.004

Modify Registry

T1112

Processes:

1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\Resimlerim\\Profiles\\chrome.exe"	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe

Modifies firewall policy service 3 TTPs 3 IoCs

evasion

Modify Registry

T1112

Windows Service

T1543.003

Disable or Modify System Firewall

T1562.004

Processes:

chrome.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile	chrome.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0"	chrome.exe
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0"	chrome.exe

Modifies security service 2 TTPs 1 IoCs
evasion

Modify Registry
T1112

Windows Service
T1543.003

Processes:

chrome.exe

description ioc process

Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" chrome.exe
Windows security bypass 2 TTPs 1 IoCs
evasion trojan

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

chrome.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" chrome.exe
Disables RegEdit via registry modification 1 IoCs
evasion

Processes:

chrome.exe

description ioc process

Set value (int) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" chrome.exe
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

884 attrib.exe
756 attrib.exe
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.

Query Registry
T1012

System Information Discovery
T1082

Processes:

1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe

description ioc process

Key value queried \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation 1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe
Deletes itself 1 IoCs

Processes:

notepad.exe

pid process

5100 notepad.exe
Executes dropped EXE 3 IoCs

Processes:

chrome.exechrome.exechrome.exe

pid process

2576 chrome.exe
4228 chrome.exe
2796 chrome.exe
Loads dropped DLL 2 IoCs

Processes:

1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exechrome.exe

pid process

1600 1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe
2576 chrome.exe
Windows security modification 2 TTPs 1 IoCs
evasion trojan

Disable or Modify Tools
T1562.001

Modify Registry
T1112

Processes:

chrome.exe

description ioc process

Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" chrome.exe

description	ioc	process
Set value (int)	\REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4"	chrome.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	chrome.exe

description	ioc	process
Set value (int)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1"	chrome.exe

pid	process
884	attrib.exe
756	attrib.exe

description	ioc	process
Key value queried	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\Control Panel\International\Geo\Nation	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe

pid	process
5100	notepad.exe

pid	process
2576	chrome.exe
4228	chrome.exe
2796	chrome.exe

pid	process
1600	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe
2576	chrome.exe

description	ioc	process
Set value (str)	\REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1"	chrome.exe

Adds Run key to start application 2 TTPs 2 IoCs

persistence

Registry Run Keys / Startup Folder

T1547.001

Modify Registry

T1112

Processes:

chrome.exe1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe

description	ioc	process
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GoogleUpdate = "C:\\Users\\Admin\\Documents\\Resimlerim\\Profiles\\chrome.exe"	chrome.exe
Set value (str)	\REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\GoogleUpdate = "C:\\Users\\Admin\\Documents\\Resimlerim\\Profiles\\chrome.exe"	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe

Drops file in System32 directory 1 IoCs

Processes:

1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe

description ioc process

File created C:\Windows\SysWOW64\0c0c0c0c.dll 1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe

description	ioc	process
File created	C:\Windows\SysWOW64\0c0c0c0c.dll	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe

Suspicious use of SetThreadContext 4 IoCs

Processes:

1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exechrome.exechrome.exe

description	pid	process	target process
PID 1600 set thread context of 1568	1600	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe
PID 1568 set thread context of 684	1568	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe
PID 2576 set thread context of 4228	2576	chrome.exe	chrome.exe
PID 4228 set thread context of 2796	4228	chrome.exe	chrome.exe

Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).

System Information Discovery
T1082
Modifies registry class 1 IoCs

Processes:

1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe

description ioc process

Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe
Suspicious behavior: GetForegroundWindowSpam 1 IoCs

Processes:

chrome.exe

pid process

2796 chrome.exe

description	ioc	process
Key created	\REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe

pid	process
2796	chrome.exe

Suspicious use of AdjustPrivilegeToken 48 IoCs

Processes:

1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exechrome.exe

description	pid	process
Token: SeIncreaseQuotaPrivilege	684	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe
Token: SeSecurityPrivilege	684	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe
Token: SeTakeOwnershipPrivilege	684	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe
Token: SeLoadDriverPrivilege	684	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe
Token: SeSystemProfilePrivilege	684	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe
Token: SeSystemtimePrivilege	684	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe
Token: SeProfSingleProcessPrivilege	684	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe
Token: SeIncBasePriorityPrivilege	684	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe
Token: SeCreatePagefilePrivilege	684	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe
Token: SeBackupPrivilege	684	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe
Token: SeRestorePrivilege	684	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe
Token: SeShutdownPrivilege	684	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe
Token: SeDebugPrivilege	684	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe
Token: SeSystemEnvironmentPrivilege	684	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe
Token: SeChangeNotifyPrivilege	684	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe
Token: SeRemoteShutdownPrivilege	684	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe
Token: SeUndockPrivilege	684	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe
Token: SeManageVolumePrivilege	684	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe
Token: SeImpersonatePrivilege	684	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe
Token: SeCreateGlobalPrivilege	684	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe
Token: 33	684	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe
Token: 34	684	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe
Token: 35	684	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe
Token: 36	684	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe
Token: SeIncreaseQuotaPrivilege	2796	chrome.exe
Token: SeSecurityPrivilege	2796	chrome.exe
Token: SeTakeOwnershipPrivilege	2796	chrome.exe
Token: SeLoadDriverPrivilege	2796	chrome.exe
Token: SeSystemProfilePrivilege	2796	chrome.exe
Token: SeSystemtimePrivilege	2796	chrome.exe
Token: SeProfSingleProcessPrivilege	2796	chrome.exe
Token: SeIncBasePriorityPrivilege	2796	chrome.exe
Token: SeCreatePagefilePrivilege	2796	chrome.exe
Token: SeBackupPrivilege	2796	chrome.exe
Token: SeRestorePrivilege	2796	chrome.exe
Token: SeShutdownPrivilege	2796	chrome.exe
Token: SeDebugPrivilege	2796	chrome.exe
Token: SeSystemEnvironmentPrivilege	2796	chrome.exe
Token: SeChangeNotifyPrivilege	2796	chrome.exe
Token: SeRemoteShutdownPrivilege	2796	chrome.exe
Token: SeUndockPrivilege	2796	chrome.exe
Token: SeManageVolumePrivilege	2796	chrome.exe
Token: SeImpersonatePrivilege	2796	chrome.exe
Token: SeCreateGlobalPrivilege	2796	chrome.exe
Token: 33	2796	chrome.exe
Token: 34	2796	chrome.exe
Token: 35	2796	chrome.exe
Token: 36	2796	chrome.exe

Suspicious use of SetWindowsHookEx 5 IoCs

Processes:

1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exechrome.exechrome.exechrome.exe

pid process

1600 1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe
1568 1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe
2576 chrome.exe
4228 chrome.exe
2796 chrome.exe

pid	process
1600	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe
1568	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe
2576	chrome.exe
4228	chrome.exe
2796	chrome.exe

Suspicious use of WriteProcessMemory 64 IoCs

Processes:

1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe1816dd0f974fecd01a3aee390593de19_JaffaCakes118.execmd.execmd.exechrome.exechrome.exe

description	pid	process	target process
PID 1600 wrote to memory of 1568	1600	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe
PID 1600 wrote to memory of 1568	1600	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe
PID 1600 wrote to memory of 1568	1600	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe
PID 1600 wrote to memory of 1568	1600	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe
PID 1600 wrote to memory of 1568	1600	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe
PID 1600 wrote to memory of 1568	1600	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe
PID 1600 wrote to memory of 1568	1600	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe
PID 1600 wrote to memory of 1568	1600	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe
PID 1568 wrote to memory of 684	1568	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe
PID 1568 wrote to memory of 684	1568	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe
PID 1568 wrote to memory of 684	1568	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe
PID 1568 wrote to memory of 684	1568	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe
PID 1568 wrote to memory of 684	1568	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe
PID 1568 wrote to memory of 684	1568	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe
PID 1568 wrote to memory of 684	1568	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe
PID 1568 wrote to memory of 684	1568	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe
PID 1568 wrote to memory of 684	1568	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe
PID 1568 wrote to memory of 684	1568	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe
PID 1568 wrote to memory of 684	1568	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe
PID 1568 wrote to memory of 684	1568	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe
PID 1568 wrote to memory of 684	1568	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe
PID 1568 wrote to memory of 684	1568	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe
PID 684 wrote to memory of 4088	684	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe	cmd.exe
PID 684 wrote to memory of 4088	684	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe	cmd.exe
PID 684 wrote to memory of 4088	684	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe	cmd.exe
PID 684 wrote to memory of 4084	684	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe	cmd.exe
PID 684 wrote to memory of 4084	684	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe	cmd.exe
PID 684 wrote to memory of 4084	684	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe	cmd.exe
PID 684 wrote to memory of 5100	684	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe	notepad.exe
PID 684 wrote to memory of 5100	684	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe	notepad.exe
PID 684 wrote to memory of 5100	684	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe	notepad.exe
PID 684 wrote to memory of 5100	684	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe	notepad.exe
PID 684 wrote to memory of 5100	684	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe	notepad.exe
PID 684 wrote to memory of 5100	684	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe	notepad.exe
PID 684 wrote to memory of 5100	684	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe	notepad.exe
PID 684 wrote to memory of 5100	684	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe	notepad.exe
PID 684 wrote to memory of 5100	684	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe	notepad.exe
PID 684 wrote to memory of 5100	684	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe	notepad.exe
PID 684 wrote to memory of 5100	684	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe	notepad.exe
PID 684 wrote to memory of 5100	684	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe	notepad.exe
PID 684 wrote to memory of 5100	684	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe	notepad.exe
PID 684 wrote to memory of 5100	684	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe	notepad.exe
PID 684 wrote to memory of 5100	684	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe	notepad.exe
PID 684 wrote to memory of 5100	684	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe	notepad.exe
PID 684 wrote to memory of 5100	684	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe	notepad.exe
PID 4084 wrote to memory of 756	4084	cmd.exe	attrib.exe
PID 4084 wrote to memory of 756	4084	cmd.exe	attrib.exe
PID 4084 wrote to memory of 756	4084	cmd.exe	attrib.exe
PID 4088 wrote to memory of 884	4088	cmd.exe	attrib.exe
PID 4088 wrote to memory of 884	4088	cmd.exe	attrib.exe
PID 4088 wrote to memory of 884	4088	cmd.exe	attrib.exe
PID 684 wrote to memory of 2576	684	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe	chrome.exe
PID 684 wrote to memory of 2576	684	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe	chrome.exe
PID 684 wrote to memory of 2576	684	1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe	chrome.exe
PID 2576 wrote to memory of 4228	2576	chrome.exe	chrome.exe
PID 2576 wrote to memory of 4228	2576	chrome.exe	chrome.exe
PID 2576 wrote to memory of 4228	2576	chrome.exe	chrome.exe
PID 2576 wrote to memory of 4228	2576	chrome.exe	chrome.exe
PID 2576 wrote to memory of 4228	2576	chrome.exe	chrome.exe
PID 2576 wrote to memory of 4228	2576	chrome.exe	chrome.exe
PID 2576 wrote to memory of 4228	2576	chrome.exe	chrome.exe
PID 2576 wrote to memory of 4228	2576	chrome.exe	chrome.exe
PID 4228 wrote to memory of 2796	4228	chrome.exe	chrome.exe
PID 4228 wrote to memory of 2796	4228	chrome.exe	chrome.exe

Views/modifies file attributes 1 TTPs 2 IoCs
evasion

Hidden Files and Directories
T1564.001

Processes:

attrib.exeattrib.exe

pid process

884 attrib.exe
756 attrib.exe

pid	process
884	attrib.exe
756	attrib.exe

C:\Users\Admin\AppData\Local\Temp\1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe"
1⤵
- Loads dropped DLL
- Drops file in System32 directory
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1600

C:\Users\Admin\AppData\Local\Temp\1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe"
2⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1568

C:\Users\Admin\AppData\Local\Temp\1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe"
3⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:684

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe" +s +h
4⤵
- Suspicious use of WriteProcessMemory
PID:4088

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp\1816dd0f974fecd01a3aee390593de19_JaffaCakes118.exe" +s +h
5⤵
- Sets file to hidden
- Views/modifies file attributes
PID:884

C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
4⤵
- Suspicious use of WriteProcessMemory
PID:4084

C:\Windows\SysWOW64\attrib.exe
attrib "C:\Users\Admin\AppData\Local\Temp" +s +h
5⤵
- Sets file to hidden
- Views/modifies file attributes
PID:756

C:\Windows\SysWOW64\notepad.exe
notepad
4⤵
- Deletes itself
PID:5100

C:\Users\Admin\Documents\Resimlerim\Profiles\chrome.exe
"C:\Users\Admin\Documents\Resimlerim\Profiles\chrome.exe"
4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2576

C:\Users\Admin\Documents\Resimlerim\Profiles\chrome.exe
"C:\Users\Admin\Documents\Resimlerim\Profiles\chrome.exe"
5⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:4228

C:\Users\Admin\Documents\Resimlerim\Profiles\chrome.exe
"C:\Users\Admin\Documents\Resimlerim\Profiles\chrome.exe"
6⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2796

C:\Windows\SysWOW64\notepad.exe
notepad
7⤵
PID:5044

C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe
"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=1344 --field-trial-handle=2284,i,15722001240173834669,15048020084704567542,262144 --variations-seed-version /prefetch:8
1⤵
PID:872

Network

MITRE ATT&CK Matrix ATT&CK v13

Initial Access

Execution

Persistence

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Privilege Escalation

Boot or Logon Autostart Execution

T1547

Registry Run Keys / Startup Folder

T1547.001

Winlogon Helper DLL

T1547.004

Create or Modify System Process

T1543

Windows Service

T1543.003

Defense Evasion

Modify Registry

T1112

Impair Defenses

T1562

Disable or Modify Tools

T1562.001

Disable or Modify System Firewall

T1562.004

Hide Artifacts

T1564

Hidden Files and Directories

T1564.001

Credential Access

Discovery

Query Registry

T1012

System Information Discovery

T1082

Lateral Movement

Collection

Exfiltration

Command and Control

Impact

Resource Development

Reconnaissance

Replay Monitor

Loading Replay Monitor...

Downloads

C:\Users\Admin\AppData\Roaming\Microsoft\Crypto\RSA\S-1-5-21-3808065738-1666277613-1125846146-1000\88603cb2913a7df3fbd16b5f958e6447_2397ee06-28fe-4eaa-8777-f7014368c353
Filesize
51B

MD5
5fc2ac2a310f49c14d195230b91a8885

SHA1
90855cc11136ba31758fe33b5cf9571f9a104879

SHA256
374e0e2897a7a82e0e44794cad89df0f3cdd7703886239c1fe06d625efd48092

SHA512
ab46554df9174b9fe9beba50a640f67534c3812f64d96a1fb8adfdc136dfe730ca2370825cd45b7f87a544d6a58dd868cb5a3a7f42e2789f6d679dbc0fdd52c3

Download Submit
C:\Users\Admin\Documents\Resimlerim\Profiles\chrome.exe
Filesize
1.3MB

MD5
1816dd0f974fecd01a3aee390593de19

SHA1
67c477675af6dfd5fca81669a58daae9fa8ddc8c

SHA256
4b259a4d6a566836a4e511b7ca5d0bd5775360fd52eaf89b03035d4e602431c5

SHA512
2488732d171cbd43f283cf423d493b1294439a5a4e200b6454a24267eb8f2a815058ef4798c16198b9b6bd4dbbb5442adaf103f483b02935b098bd9fa5fe966a

Download Submit
C:\Windows\SysWOW64\0c0c0c0c.dll
Filesize
1.3MB

MD5
df5c622697dc8c743f3884914a9e4d99

SHA1
cdfc6345080dfa9c45d323f15532ad9274385d2f

SHA256
0ca52bc5cf854e274e15ba07df97b2e75ec4e1fc2d90f23676da7fa3c95da089

SHA512
59867bb9608c250661a6eb823f06c907d334eb4f638b04f21cf10213e5163035c37261f5213642c703dd382871a5d3ae764839c1b93e18e833d85ac0e3409f90

Download Submit
memory/684-91-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/684-16-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/684-17-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/684-20-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/684-21-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/684-22-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/1568-8-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1568-11-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1568-18-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/1600-10-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1600-0-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/1600-1-0x00000000001C0000-0x00000000001C3000-memory.dmp

Filesize
12KB

Download
memory/2576-99-0x0000000000400000-0x00000000005D4000-memory.dmp

Filesize
1.8MB

Download
memory/2796-103-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2796-113-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2796-123-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2796-107-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2796-106-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2796-109-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2796-110-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2796-122-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2796-121-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2796-111-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2796-112-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2796-120-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2796-114-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2796-115-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2796-116-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2796-117-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2796-118-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/2796-119-0x0000000000400000-0x00000000004BC000-memory.dmp

Filesize
752KB

Download
memory/4228-95-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/4228-104-0x0000000000400000-0x0000000000406000-memory.dmp

Filesize
24KB

Download
memory/5044-108-0x0000000001330000-0x0000000001331000-memory.dmp

Filesize
4KB

Download
memory/5100-26-0x0000000001360000-0x0000000001361000-memory.dmp

Filesize
4KB

Download