Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2024 08:21
Static task
static1
Behavioral task
behavioral1
Sample
1a949339827c3534c314fc5cef076cfa_JaffaCakes118.exe
Resource
win7-20240611-en
General
-
Target
1a949339827c3534c314fc5cef076cfa_JaffaCakes118.exe
-
Size
2.0MB
-
MD5
1a949339827c3534c314fc5cef076cfa
-
SHA1
8d171e83dcba6d417e1729061a35a3a94dd8a648
-
SHA256
fa6ca82b40ad7f1cad6350c10b9b1aca038ed678ba4705465f5eca4a9604a844
-
SHA512
97b87eb9a7b787923e7284a83a461bd24c2dac08fdc968364f8c3dfa937967af5b2ee4c524dc47a162942d16010e5cd67439222ac875aa9301769936400bfb64
-
SSDEEP
49152://CBhJF7gxl916Fy1xjK1egEVCa0cbKV:
Malware Config
Extracted
darkcomet
Guest16
192.168.178.27:1604
77.13.126.78:1604
DC_MUTEX-H9FGMQM
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
S0syElonRqL0
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 3 IoCs
Processes:
DarkComet.exeProRat.exeservices.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" DarkComet.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe" ProRat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\Shell = "Explorer.exe C:\\Windows\\system32\\fservice.exe" services.exe -
Modifies firewall policy service 3 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msdcsc.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
msdcsc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" msdcsc.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Adds policy Run key to start application 2 TTPs 4 IoCs
Processes:
ProRat.exeservices.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run ProRat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe" ProRat.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\Explorer\Run\DirectX For Microsoft® Windows = "C:\\Windows\\system32\\fservice.exe" services.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 5 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
Processes:
services.exeProRat.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\ services.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe" services.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y} ProRat.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\ ProRat.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Active Setup\Installed Components\{5Y99AE78-58TT-11dW-BE53-Y67078979Y}\StubPath = "C:\\Windows\\system\\sservice.exe" ProRat.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
msdcsc.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" msdcsc.exe -
Disables Task Manager via registry modification
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 2036 attrib.exe 3120 attrib.exe -
Processes:
resource yara_rule C:\Windows\SysWOW64\winkey.dll aspack_v212_v242 -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1a949339827c3534c314fc5cef076cfa_JaffaCakes118.exeDarkComet.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation 1a949339827c3534c314fc5cef076cfa_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\Control Panel\International\Geo\Nation DarkComet.exe -
Executes dropped EXE 9 IoCs
Processes:
SubSeven.exePoisonIVY.exePoisonIVY.exeBifrost.exeDarkComet.exeProRat.exefservice.exeservices.exemsdcsc.exepid process 2664 SubSeven.exe 4612 PoisonIVY.exe 552 PoisonIVY.exe 1548 Bifrost.exe 4380 DarkComet.exe 1592 ProRat.exe 1700 fservice.exe 1708 services.exe 3440 msdcsc.exe -
Loads dropped DLL 8 IoCs
Processes:
services.exemsdcsc.exefservice.exeProRat.exenotepad.exenotepad.exepid process 1708 services.exe 1708 services.exe 1708 services.exe 3440 msdcsc.exe 1700 fservice.exe 1592 ProRat.exe 2292 notepad.exe 3848 notepad.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Local\Temp\SubSeven.exe upx behavioral2/memory/2664-14-0x0000000000400000-0x000000000050C000-memory.dmp upx C:\Users\Admin\AppData\Local\Temp\ProRat.exe upx behavioral2/memory/1592-55-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral2/memory/1700-71-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral2/memory/1708-90-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral2/memory/1700-113-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral2/memory/1592-118-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral2/memory/2664-122-0x0000000000400000-0x000000000050C000-memory.dmp upx behavioral2/memory/1708-124-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral2/memory/1708-127-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral2/memory/1708-130-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral2/memory/1708-131-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral2/memory/1708-134-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral2/memory/1708-137-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral2/memory/1708-140-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral2/memory/1708-143-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral2/memory/1708-146-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral2/memory/1708-149-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral2/memory/1708-152-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral2/memory/1708-155-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral2/memory/1708-158-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral2/memory/1708-161-0x0000000000400000-0x00000000005FC000-memory.dmp upx behavioral2/memory/1708-164-0x0000000000400000-0x00000000005FC000-memory.dmp upx -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
DarkComet.exemsdcsc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" DarkComet.exe Set value (str) \REGISTRY\USER\S-1-5-21-3558294865-3673844354-2255444939-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Modifies WinLogon 2 TTPs 2 IoCs
Processes:
ProRat.exeservices.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ ProRat.exe Key created \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows NT\CurrentVersion\Winlogon\ services.exe -
Drops file in System32 directory 7 IoCs
Processes:
services.exeProRat.exefservice.exedescription ioc process File created C:\Windows\SysWOW64\winkey.dll services.exe File created C:\Windows\SysWOW64\reginv.dll services.exe File created C:\Windows\SysWOW64\fservice.exe services.exe File created C:\Windows\SysWOW64\fservice.exe ProRat.exe File opened for modification C:\Windows\SysWOW64\fservice.exe ProRat.exe File created C:\Windows\SysWOW64\fservice.exe fservice.exe File opened for modification C:\Windows\SysWOW64\fservice.exe fservice.exe -
Drops file in Windows directory 7 IoCs
Processes:
fservice.exeservices.exeProRat.exedescription ioc process File opened for modification C:\Windows\services.exe fservice.exe File created C:\Windows\system\sservice.exe fservice.exe File opened for modification C:\Windows\system\sservice.exe fservice.exe File created C:\Windows\system\sservice.exe services.exe File created C:\Windows\system\sservice.exe ProRat.exe File opened for modification C:\Windows\system\sservice.exe ProRat.exe File created C:\Windows\services.exe fservice.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 4696 552 WerFault.exe PoisonIVY.exe -
Runs net.exe
-
Suspicious behavior: EnumeratesProcesses 64 IoCs
Processes:
Bifrost.exeservices.exepid process 1548 Bifrost.exe 1548 Bifrost.exe 1548 Bifrost.exe 1548 Bifrost.exe 1708 services.exe 1708 services.exe 1708 services.exe 1708 services.exe 1708 services.exe 1708 services.exe 1708 services.exe 1708 services.exe 1708 services.exe 1708 services.exe 1708 services.exe 1708 services.exe 1708 services.exe 1708 services.exe 1708 services.exe 1708 services.exe 1708 services.exe 1708 services.exe 1708 services.exe 1708 services.exe 1708 services.exe 1708 services.exe 1708 services.exe 1708 services.exe 1708 services.exe 1708 services.exe 1708 services.exe 1708 services.exe 1708 services.exe 1708 services.exe 1708 services.exe 1708 services.exe 1708 services.exe 1708 services.exe 1708 services.exe 1708 services.exe 1708 services.exe 1708 services.exe 1708 services.exe 1708 services.exe 1708 services.exe 1708 services.exe 1708 services.exe 1708 services.exe 1708 services.exe 1708 services.exe 1708 services.exe 1708 services.exe 1708 services.exe 1708 services.exe 1708 services.exe 1708 services.exe 1708 services.exe 1708 services.exe 1708 services.exe 1708 services.exe 1708 services.exe 1708 services.exe 1708 services.exe 1708 services.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msdcsc.exepid process 3440 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
DarkComet.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 4380 DarkComet.exe Token: SeSecurityPrivilege 4380 DarkComet.exe Token: SeTakeOwnershipPrivilege 4380 DarkComet.exe Token: SeLoadDriverPrivilege 4380 DarkComet.exe Token: SeSystemProfilePrivilege 4380 DarkComet.exe Token: SeSystemtimePrivilege 4380 DarkComet.exe Token: SeProfSingleProcessPrivilege 4380 DarkComet.exe Token: SeIncBasePriorityPrivilege 4380 DarkComet.exe Token: SeCreatePagefilePrivilege 4380 DarkComet.exe Token: SeBackupPrivilege 4380 DarkComet.exe Token: SeRestorePrivilege 4380 DarkComet.exe Token: SeShutdownPrivilege 4380 DarkComet.exe Token: SeDebugPrivilege 4380 DarkComet.exe Token: SeSystemEnvironmentPrivilege 4380 DarkComet.exe Token: SeChangeNotifyPrivilege 4380 DarkComet.exe Token: SeRemoteShutdownPrivilege 4380 DarkComet.exe Token: SeUndockPrivilege 4380 DarkComet.exe Token: SeManageVolumePrivilege 4380 DarkComet.exe Token: SeImpersonatePrivilege 4380 DarkComet.exe Token: SeCreateGlobalPrivilege 4380 DarkComet.exe Token: 33 4380 DarkComet.exe Token: 34 4380 DarkComet.exe Token: 35 4380 DarkComet.exe Token: 36 4380 DarkComet.exe Token: SeIncreaseQuotaPrivilege 3440 msdcsc.exe Token: SeSecurityPrivilege 3440 msdcsc.exe Token: SeTakeOwnershipPrivilege 3440 msdcsc.exe Token: SeLoadDriverPrivilege 3440 msdcsc.exe Token: SeSystemProfilePrivilege 3440 msdcsc.exe Token: SeSystemtimePrivilege 3440 msdcsc.exe Token: SeProfSingleProcessPrivilege 3440 msdcsc.exe Token: SeIncBasePriorityPrivilege 3440 msdcsc.exe Token: SeCreatePagefilePrivilege 3440 msdcsc.exe Token: SeBackupPrivilege 3440 msdcsc.exe Token: SeRestorePrivilege 3440 msdcsc.exe Token: SeShutdownPrivilege 3440 msdcsc.exe Token: SeDebugPrivilege 3440 msdcsc.exe Token: SeSystemEnvironmentPrivilege 3440 msdcsc.exe Token: SeChangeNotifyPrivilege 3440 msdcsc.exe Token: SeRemoteShutdownPrivilege 3440 msdcsc.exe Token: SeUndockPrivilege 3440 msdcsc.exe Token: SeManageVolumePrivilege 3440 msdcsc.exe Token: SeImpersonatePrivilege 3440 msdcsc.exe Token: SeCreateGlobalPrivilege 3440 msdcsc.exe Token: 33 3440 msdcsc.exe Token: 34 3440 msdcsc.exe Token: 35 3440 msdcsc.exe Token: 36 3440 msdcsc.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
services.exemsdcsc.exepid process 1708 services.exe 1708 services.exe 3440 msdcsc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
1a949339827c3534c314fc5cef076cfa_JaffaCakes118.exePoisonIVY.exeBifrost.exeDarkComet.exeProRat.exefservice.exeservices.exedescription pid process target process PID 1972 wrote to memory of 2664 1972 1a949339827c3534c314fc5cef076cfa_JaffaCakes118.exe SubSeven.exe PID 1972 wrote to memory of 2664 1972 1a949339827c3534c314fc5cef076cfa_JaffaCakes118.exe SubSeven.exe PID 1972 wrote to memory of 2664 1972 1a949339827c3534c314fc5cef076cfa_JaffaCakes118.exe SubSeven.exe PID 1972 wrote to memory of 4612 1972 1a949339827c3534c314fc5cef076cfa_JaffaCakes118.exe PoisonIVY.exe PID 1972 wrote to memory of 4612 1972 1a949339827c3534c314fc5cef076cfa_JaffaCakes118.exe PoisonIVY.exe PID 1972 wrote to memory of 4612 1972 1a949339827c3534c314fc5cef076cfa_JaffaCakes118.exe PoisonIVY.exe PID 1972 wrote to memory of 1548 1972 1a949339827c3534c314fc5cef076cfa_JaffaCakes118.exe Bifrost.exe PID 1972 wrote to memory of 1548 1972 1a949339827c3534c314fc5cef076cfa_JaffaCakes118.exe Bifrost.exe PID 1972 wrote to memory of 1548 1972 1a949339827c3534c314fc5cef076cfa_JaffaCakes118.exe Bifrost.exe PID 4612 wrote to memory of 552 4612 PoisonIVY.exe PoisonIVY.exe PID 4612 wrote to memory of 552 4612 PoisonIVY.exe PoisonIVY.exe PID 4612 wrote to memory of 552 4612 PoisonIVY.exe PoisonIVY.exe PID 1548 wrote to memory of 3448 1548 Bifrost.exe Explorer.EXE PID 1972 wrote to memory of 4380 1972 1a949339827c3534c314fc5cef076cfa_JaffaCakes118.exe DarkComet.exe PID 1972 wrote to memory of 4380 1972 1a949339827c3534c314fc5cef076cfa_JaffaCakes118.exe DarkComet.exe PID 1972 wrote to memory of 4380 1972 1a949339827c3534c314fc5cef076cfa_JaffaCakes118.exe DarkComet.exe PID 1972 wrote to memory of 1592 1972 1a949339827c3534c314fc5cef076cfa_JaffaCakes118.exe ProRat.exe PID 1972 wrote to memory of 1592 1972 1a949339827c3534c314fc5cef076cfa_JaffaCakes118.exe ProRat.exe PID 1972 wrote to memory of 1592 1972 1a949339827c3534c314fc5cef076cfa_JaffaCakes118.exe ProRat.exe PID 1548 wrote to memory of 3448 1548 Bifrost.exe Explorer.EXE PID 1548 wrote to memory of 3448 1548 Bifrost.exe Explorer.EXE PID 1548 wrote to memory of 3448 1548 Bifrost.exe Explorer.EXE PID 4380 wrote to memory of 1016 4380 DarkComet.exe cmd.exe PID 4380 wrote to memory of 1016 4380 DarkComet.exe cmd.exe PID 4380 wrote to memory of 1016 4380 DarkComet.exe cmd.exe PID 1548 wrote to memory of 3448 1548 Bifrost.exe Explorer.EXE PID 1592 wrote to memory of 1700 1592 ProRat.exe fservice.exe PID 1592 wrote to memory of 1700 1592 ProRat.exe fservice.exe PID 1592 wrote to memory of 1700 1592 ProRat.exe fservice.exe PID 4380 wrote to memory of 1608 4380 DarkComet.exe cmd.exe PID 4380 wrote to memory of 1608 4380 DarkComet.exe cmd.exe PID 4380 wrote to memory of 1608 4380 DarkComet.exe cmd.exe PID 4380 wrote to memory of 2292 4380 DarkComet.exe notepad.exe PID 4380 wrote to memory of 2292 4380 DarkComet.exe notepad.exe PID 4380 wrote to memory of 2292 4380 DarkComet.exe notepad.exe PID 4380 wrote to memory of 2292 4380 DarkComet.exe notepad.exe PID 4380 wrote to memory of 2292 4380 DarkComet.exe notepad.exe PID 4380 wrote to memory of 2292 4380 DarkComet.exe notepad.exe PID 4380 wrote to memory of 2292 4380 DarkComet.exe notepad.exe PID 4380 wrote to memory of 2292 4380 DarkComet.exe notepad.exe PID 4380 wrote to memory of 2292 4380 DarkComet.exe notepad.exe PID 4380 wrote to memory of 2292 4380 DarkComet.exe notepad.exe PID 4380 wrote to memory of 2292 4380 DarkComet.exe notepad.exe PID 4380 wrote to memory of 2292 4380 DarkComet.exe notepad.exe PID 4380 wrote to memory of 2292 4380 DarkComet.exe notepad.exe PID 4380 wrote to memory of 2292 4380 DarkComet.exe notepad.exe PID 4380 wrote to memory of 2292 4380 DarkComet.exe notepad.exe PID 4380 wrote to memory of 2292 4380 DarkComet.exe notepad.exe PID 4380 wrote to memory of 2292 4380 DarkComet.exe notepad.exe PID 1548 wrote to memory of 3448 1548 Bifrost.exe Explorer.EXE PID 1700 wrote to memory of 1708 1700 fservice.exe services.exe PID 1700 wrote to memory of 1708 1700 fservice.exe services.exe PID 1700 wrote to memory of 1708 1700 fservice.exe services.exe PID 4380 wrote to memory of 3440 4380 DarkComet.exe msdcsc.exe PID 4380 wrote to memory of 3440 4380 DarkComet.exe msdcsc.exe PID 4380 wrote to memory of 3440 4380 DarkComet.exe msdcsc.exe PID 1708 wrote to memory of 3392 1708 services.exe NET.exe PID 1708 wrote to memory of 3392 1708 services.exe NET.exe PID 1708 wrote to memory of 3392 1708 services.exe NET.exe PID 1708 wrote to memory of 2504 1708 services.exe NET.exe PID 1708 wrote to memory of 2504 1708 services.exe NET.exe PID 1708 wrote to memory of 2504 1708 services.exe NET.exe PID 1592 wrote to memory of 2120 1592 ProRat.exe cmd.exe PID 1592 wrote to memory of 2120 1592 ProRat.exe cmd.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" msdcsc.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 2036 attrib.exe 3120 attrib.exe
Processes
-
C:\Windows\Explorer.EXEC:\Windows\Explorer.EXE1⤵
-
C:\Users\Admin\AppData\Local\Temp\1a949339827c3534c314fc5cef076cfa_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1a949339827c3534c314fc5cef076cfa_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\SubSeven.exe"C:\Users\Admin\AppData\Local\Temp\SubSeven.exe"3⤵
- Executes dropped EXE
-
C:\Users\Admin\AppData\Local\Temp\PoisonIVY.exe"C:\Users\Admin\AppData\Local\Temp\PoisonIVY.exe"3⤵
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\PoisonIVY.exeStubPath4⤵
- Executes dropped EXE
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 552 -s 4645⤵
- Program crash
-
C:\Users\Admin\AppData\Local\Temp\Bifrost.exe"C:\Users\Admin\AppData\Local\Temp\Bifrost.exe"3⤵
- Executes dropped EXE
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\DarkComet.exe"C:\Users\Admin\AppData\Local\Temp\DarkComet.exe"3⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\DarkComet.exe" +s +h4⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\DarkComet.exe" +s +h5⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h4⤵
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h5⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\notepad.exenotepad4⤵
- Loads dropped DLL
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"4⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Windows security modification
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"5⤵
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"5⤵
-
C:\Windows\SysWOW64\notepad.exenotepad5⤵
- Loads dropped DLL
-
C:\Users\Admin\AppData\Local\Temp\ProRat.exe"C:\Users\Admin\AppData\Local\Temp\ProRat.exe"3⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\fservice.exeC:\Windows\system32\fservice.exe4⤵
- Executes dropped EXE
- Loads dropped DLL
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious use of WriteProcessMemory
-
C:\Windows\services.exeC:\Windows\services.exe -XP5⤵
- Modifies WinLogon for persistence
- Adds policy Run key to start application
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Loads dropped DLL
- Modifies WinLogon
- Drops file in System32 directory
- Drops file in Windows directory
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\NET.exeNET STOP srservice6⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP srservice7⤵
-
C:\Windows\SysWOW64\NET.exeNET STOP navapsvc6⤵
-
C:\Windows\SysWOW64\net1.exeC:\Windows\system32\net1 STOP navapsvc7⤵
-
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c C:\Users\Admin\AppData\Local\Temp\ProRat.exe.bat4⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 552 -ip 5521⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
5Registry Run Keys / Startup Folder
2Winlogon Helper DLL
2Active Setup
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
5Registry Run Keys / Startup Folder
2Winlogon Helper DLL
2Active Setup
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Bifrost.exeFilesize
48KB
MD500eb83e1bbfa6aec6d1e781a78bc0454
SHA1a8ccad37a9f10f1d8020cdbc98029795e316d869
SHA256a8e6e03de4677be7e8f8cf48b42abb3661f206ef26c5986df90813fca101d899
SHA51220e07ad6c3aab6320311cf30a5b766ecbaafc49b2f76a63d497ec5c5e30da9df440ca37841f6e4242581aece640afd500e70e04649a110451ef4c3e27b689daf
-
C:\Users\Admin\AppData\Local\Temp\DarkComet.exeFilesize
660KB
MD584df488c078e35518db1fd6c9aa9ba87
SHA17119a12be57f669ed9d936294eaa703a89398f48
SHA25658bee144b8930d90edac006468e5aefa0ecc44319d39cb3a6c9cf7cf13f68ca8
SHA512e09c90223d4215a44818c9a21aa897e0372dbd63119bd602d38818240bc040c1d93cebd794bb96fed01ff9055ca3a2b2e08c15a23490fc6c263d778f06003a04
-
C:\Users\Admin\AppData\Local\Temp\PoisonIVY.exeFilesize
9KB
MD52621bf0c4086f801874857ca07eeae8e
SHA132ee702ce14d148f58f9344e22a4b8e301e562c5
SHA25667f4623acc3ff4c84c4456e6f97a66d9ee2a148ce6a1aa1157b0aa362a379765
SHA51233aa74e279f628711347b6910a343f8aa3a8ed31ef4c3d2e9226f43a8b237e9162e37605d67d89c359c6448e657bb10b9d8defbccf0322a728043708a49fd544
-
C:\Users\Admin\AppData\Local\Temp\ProRat.exeFilesize
342KB
MD55ac46ad5d65132a31357942360786b2f
SHA1d8ba1b566f6bd314211feec4c1e2b3c3a2b9cb0a
SHA25617c96882c2196c97937a7d594c6a43bad447263fe1efb5933c9575361ff98ecb
SHA512c16957796155dcf64e467f413bfa6b3015a162e6454dfb6628523c0c6bb97deff5703d8616c0c8208123a95739ee9128c96ddf2a7e237a1e05e3a8f6036b5d35
-
C:\Users\Admin\AppData\Local\Temp\ProRat.exe.batFilesize
129B
MD50781898738882613a4fc080c5fd2e0fa
SHA1189dd18c413f16e9bb91a7fea1418b1e38cf14cf
SHA25682e7b490e2cac6acded0eb708f6f70d14d7aba0153482f7939b3e1c93fb9ad42
SHA51231ec42a845ea8065c96d9b3aef81c65d4c5476fd8ecedcfadc18503ad0d2daadc461e9b9f160c4855e1969a2b182dbc12b1ca3190d2f2ee8b47e92fb409d2f35
-
C:\Users\Admin\AppData\Local\Temp\SubSeven.exeFilesize
373KB
MD5a1f91ceb13bd21061479d9716f63d42d
SHA1e61ea5d2f230da5750235b1c7ea409393b8486e8
SHA256cb834303994b8cbc637af4088e3329691581b635dbe78c4f2d4f3ed4cffd3b5e
SHA512ad52194def19b51a4fd630fe50294b6d73aa0b523cf73f223d117c46af4d8e585eb703d335c826678a5ff87eea4b339469fec30f0f07f492837e98a69424d9b0
-
C:\Windows\SysWOW64\reginv.dllFilesize
36KB
MD5562e0d01d6571fa2251a1e9f54c6cc69
SHA183677ad3bc630aa6327253c7b3deffbd4a8ce905
SHA256c5b1d800c86d550c0b68c57c0d9911c1dd21df9e5e37e9e7bc032b5e66fdebe6
SHA512166e132432eca24061f7e7d0c58c0b286e971ae2bc50f7c890b7707dd5dede19fcd83a5f79b6fd3f93dd691e07ad9bc1bd05fe82ccaade1610282188571585ea
-
C:\Windows\SysWOW64\winkey.dllFilesize
13KB
MD5b4c72da9fd1a0dcb0698b7da97daa0cd
SHA1b25a79e8ea4c723c58caab83aed6ea48de7ed759
SHA25645d266269634ba2de70f179a26d7224111e677e66b38dff2802851b71ce4458f
SHA512f5f184416c5381d275bc093c9275e9fdb35c58e2c401d188aef097950013de6e43269da5d4dd5e7baea34735bd7de664d15fe487b2292fd66926c9845b0cd066
-
memory/1548-42-0x0000000010000000-0x0000000010011000-memory.dmpFilesize
68KB
-
memory/1548-41-0x0000000000400000-0x0000000000408000-memory.dmpFilesize
32KB
-
memory/1548-31-0x0000000010000000-0x0000000010011000-memory.dmpFilesize
68KB
-
memory/1592-118-0x0000000000400000-0x00000000005FC000-memory.dmpFilesize
2.0MB
-
memory/1592-55-0x0000000000400000-0x00000000005FC000-memory.dmpFilesize
2.0MB
-
memory/1700-113-0x0000000000400000-0x00000000005FC000-memory.dmpFilesize
2.0MB
-
memory/1700-71-0x0000000000400000-0x00000000005FC000-memory.dmpFilesize
2.0MB
-
memory/1708-99-0x0000000010000000-0x000000001000B000-memory.dmpFilesize
44KB
-
memory/1708-149-0x0000000000400000-0x00000000005FC000-memory.dmpFilesize
2.0MB
-
memory/1708-164-0x0000000000400000-0x00000000005FC000-memory.dmpFilesize
2.0MB
-
memory/1708-143-0x0000000000400000-0x00000000005FC000-memory.dmpFilesize
2.0MB
-
memory/1708-90-0x0000000000400000-0x00000000005FC000-memory.dmpFilesize
2.0MB
-
memory/1708-161-0x0000000000400000-0x00000000005FC000-memory.dmpFilesize
2.0MB
-
memory/1708-158-0x0000000000400000-0x00000000005FC000-memory.dmpFilesize
2.0MB
-
memory/1708-140-0x0000000000400000-0x00000000005FC000-memory.dmpFilesize
2.0MB
-
memory/1708-155-0x0000000000400000-0x00000000005FC000-memory.dmpFilesize
2.0MB
-
memory/1708-152-0x0000000000400000-0x00000000005FC000-memory.dmpFilesize
2.0MB
-
memory/1708-137-0x0000000000400000-0x00000000005FC000-memory.dmpFilesize
2.0MB
-
memory/1708-134-0x0000000000400000-0x00000000005FC000-memory.dmpFilesize
2.0MB
-
memory/1708-131-0x0000000000400000-0x00000000005FC000-memory.dmpFilesize
2.0MB
-
memory/1708-130-0x0000000000400000-0x00000000005FC000-memory.dmpFilesize
2.0MB
-
memory/1708-124-0x0000000000400000-0x00000000005FC000-memory.dmpFilesize
2.0MB
-
memory/1708-127-0x0000000000400000-0x00000000005FC000-memory.dmpFilesize
2.0MB
-
memory/1708-146-0x0000000000400000-0x00000000005FC000-memory.dmpFilesize
2.0MB
-
memory/1972-61-0x0000000075460000-0x0000000075A11000-memory.dmpFilesize
5.7MB
-
memory/1972-1-0x0000000075460000-0x0000000075A11000-memory.dmpFilesize
5.7MB
-
memory/1972-2-0x0000000075460000-0x0000000075A11000-memory.dmpFilesize
5.7MB
-
memory/1972-0-0x0000000075462000-0x0000000075463000-memory.dmpFilesize
4KB
-
memory/2292-72-0x0000000000F80000-0x0000000000F81000-memory.dmpFilesize
4KB
-
memory/2664-122-0x0000000000400000-0x000000000050C000-memory.dmpFilesize
1.0MB
-
memory/2664-14-0x0000000000400000-0x000000000050C000-memory.dmpFilesize
1.0MB
-
memory/3440-126-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/3440-129-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/3448-60-0x000000007FFC0000-0x000000007FFC6000-memory.dmpFilesize
24KB
-
memory/3448-34-0x000000007FFF0000-0x000000007FFF1000-memory.dmpFilesize
4KB
-
memory/3848-114-0x00000000006C0000-0x00000000006C1000-memory.dmpFilesize
4KB
-
memory/4380-100-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/4612-40-0x0000000000400000-0x0000000000402600-memory.dmpFilesize
9KB