Analysis
-
max time kernel
142s -
max time network
124s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
11-04-2024 07:25
Behavioral task
behavioral1
Sample
ece22edeb630f6ea780e2ddc01fa0005_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
ece22edeb630f6ea780e2ddc01fa0005_JaffaCakes118.exe
-
Size
423KB
-
MD5
ece22edeb630f6ea780e2ddc01fa0005
-
SHA1
1804adb8a736799c0d8c3b9556335b19c7d83ebb
-
SHA256
43ed2b2e7cea9419473cdb249f29f9d5d340c955046e9ccfd4506a9ea9bcb60c
-
SHA512
0c0291723dfdd0645c3a0d8ebb95cb4b3b71468e258d3ff95e4864db1afba8f8db99ff11e2a08e3e97b597ce51dd004132df6f44bbcefd2b89be1a2dfd6d1a3f
-
SSDEEP
12288:ClghoSqaNJ/Jj0rvipd0ysnewRU16PUAQ9muZ:Qg2aNb0rqkyWO1mU58A
Malware Config
Extracted
darkcomet
Guest16
kurd97.no-ip.org:1604
DC_MUTEX-F54S21D
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
1U7AdLWZPz0J
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
Stage1.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" Stage1.exe -
Executes dropped EXE 3 IoCs
Processes:
Stage2.exeStage1.exemsdcsc.exepid process 2012 Stage2.exe 2716 Stage1.exe 2724 msdcsc.exe -
Loads dropped DLL 6 IoCs
Processes:
ece22edeb630f6ea780e2ddc01fa0005_JaffaCakes118.exeStage1.exepid process 2276 ece22edeb630f6ea780e2ddc01fa0005_JaffaCakes118.exe 2276 ece22edeb630f6ea780e2ddc01fa0005_JaffaCakes118.exe 2276 ece22edeb630f6ea780e2ddc01fa0005_JaffaCakes118.exe 2276 ece22edeb630f6ea780e2ddc01fa0005_JaffaCakes118.exe 2716 Stage1.exe 2716 Stage1.exe -
Processes:
resource yara_rule behavioral1/memory/2276-0-0x0000000000400000-0x0000000000424000-memory.dmp upx \Users\Admin\AppData\Local\Temp\Stage2.exe upx behavioral1/memory/2276-5-0x0000000002A60000-0x0000000002AA3000-memory.dmp upx behavioral1/memory/2012-16-0x0000000000400000-0x0000000000443000-memory.dmp upx behavioral1/memory/2276-34-0x0000000000400000-0x0000000000424000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Stage1.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" Stage1.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
Stage1.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 2716 Stage1.exe Token: SeSecurityPrivilege 2716 Stage1.exe Token: SeTakeOwnershipPrivilege 2716 Stage1.exe Token: SeLoadDriverPrivilege 2716 Stage1.exe Token: SeSystemProfilePrivilege 2716 Stage1.exe Token: SeSystemtimePrivilege 2716 Stage1.exe Token: SeProfSingleProcessPrivilege 2716 Stage1.exe Token: SeIncBasePriorityPrivilege 2716 Stage1.exe Token: SeCreatePagefilePrivilege 2716 Stage1.exe Token: SeBackupPrivilege 2716 Stage1.exe Token: SeRestorePrivilege 2716 Stage1.exe Token: SeShutdownPrivilege 2716 Stage1.exe Token: SeDebugPrivilege 2716 Stage1.exe Token: SeSystemEnvironmentPrivilege 2716 Stage1.exe Token: SeChangeNotifyPrivilege 2716 Stage1.exe Token: SeRemoteShutdownPrivilege 2716 Stage1.exe Token: SeUndockPrivilege 2716 Stage1.exe Token: SeManageVolumePrivilege 2716 Stage1.exe Token: SeImpersonatePrivilege 2716 Stage1.exe Token: SeCreateGlobalPrivilege 2716 Stage1.exe Token: 33 2716 Stage1.exe Token: 34 2716 Stage1.exe Token: 35 2716 Stage1.exe Token: SeIncreaseQuotaPrivilege 2724 msdcsc.exe Token: SeSecurityPrivilege 2724 msdcsc.exe Token: SeTakeOwnershipPrivilege 2724 msdcsc.exe Token: SeLoadDriverPrivilege 2724 msdcsc.exe Token: SeSystemProfilePrivilege 2724 msdcsc.exe Token: SeSystemtimePrivilege 2724 msdcsc.exe Token: SeProfSingleProcessPrivilege 2724 msdcsc.exe Token: SeIncBasePriorityPrivilege 2724 msdcsc.exe Token: SeCreatePagefilePrivilege 2724 msdcsc.exe Token: SeBackupPrivilege 2724 msdcsc.exe Token: SeRestorePrivilege 2724 msdcsc.exe Token: SeShutdownPrivilege 2724 msdcsc.exe Token: SeDebugPrivilege 2724 msdcsc.exe Token: SeSystemEnvironmentPrivilege 2724 msdcsc.exe Token: SeChangeNotifyPrivilege 2724 msdcsc.exe Token: SeRemoteShutdownPrivilege 2724 msdcsc.exe Token: SeUndockPrivilege 2724 msdcsc.exe Token: SeManageVolumePrivilege 2724 msdcsc.exe Token: SeImpersonatePrivilege 2724 msdcsc.exe Token: SeCreateGlobalPrivilege 2724 msdcsc.exe Token: 33 2724 msdcsc.exe Token: 34 2724 msdcsc.exe Token: 35 2724 msdcsc.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
ece22edeb630f6ea780e2ddc01fa0005_JaffaCakes118.exeStage1.exemsdcsc.exedescription pid process target process PID 2276 wrote to memory of 2012 2276 ece22edeb630f6ea780e2ddc01fa0005_JaffaCakes118.exe Stage2.exe PID 2276 wrote to memory of 2012 2276 ece22edeb630f6ea780e2ddc01fa0005_JaffaCakes118.exe Stage2.exe PID 2276 wrote to memory of 2012 2276 ece22edeb630f6ea780e2ddc01fa0005_JaffaCakes118.exe Stage2.exe PID 2276 wrote to memory of 2012 2276 ece22edeb630f6ea780e2ddc01fa0005_JaffaCakes118.exe Stage2.exe PID 2276 wrote to memory of 2716 2276 ece22edeb630f6ea780e2ddc01fa0005_JaffaCakes118.exe Stage1.exe PID 2276 wrote to memory of 2716 2276 ece22edeb630f6ea780e2ddc01fa0005_JaffaCakes118.exe Stage1.exe PID 2276 wrote to memory of 2716 2276 ece22edeb630f6ea780e2ddc01fa0005_JaffaCakes118.exe Stage1.exe PID 2276 wrote to memory of 2716 2276 ece22edeb630f6ea780e2ddc01fa0005_JaffaCakes118.exe Stage1.exe PID 2716 wrote to memory of 2724 2716 Stage1.exe msdcsc.exe PID 2716 wrote to memory of 2724 2716 Stage1.exe msdcsc.exe PID 2716 wrote to memory of 2724 2716 Stage1.exe msdcsc.exe PID 2716 wrote to memory of 2724 2716 Stage1.exe msdcsc.exe PID 2724 wrote to memory of 2580 2724 msdcsc.exe notepad.exe PID 2724 wrote to memory of 2580 2724 msdcsc.exe notepad.exe PID 2724 wrote to memory of 2580 2724 msdcsc.exe notepad.exe PID 2724 wrote to memory of 2580 2724 msdcsc.exe notepad.exe PID 2724 wrote to memory of 2580 2724 msdcsc.exe notepad.exe PID 2724 wrote to memory of 2580 2724 msdcsc.exe notepad.exe PID 2724 wrote to memory of 2580 2724 msdcsc.exe notepad.exe PID 2724 wrote to memory of 2580 2724 msdcsc.exe notepad.exe PID 2724 wrote to memory of 2580 2724 msdcsc.exe notepad.exe PID 2724 wrote to memory of 2580 2724 msdcsc.exe notepad.exe PID 2724 wrote to memory of 2580 2724 msdcsc.exe notepad.exe PID 2724 wrote to memory of 2580 2724 msdcsc.exe notepad.exe PID 2724 wrote to memory of 2580 2724 msdcsc.exe notepad.exe PID 2724 wrote to memory of 2580 2724 msdcsc.exe notepad.exe PID 2724 wrote to memory of 2580 2724 msdcsc.exe notepad.exe PID 2724 wrote to memory of 2580 2724 msdcsc.exe notepad.exe PID 2724 wrote to memory of 2580 2724 msdcsc.exe notepad.exe PID 2724 wrote to memory of 2580 2724 msdcsc.exe notepad.exe PID 2724 wrote to memory of 2580 2724 msdcsc.exe notepad.exe PID 2724 wrote to memory of 2580 2724 msdcsc.exe notepad.exe PID 2724 wrote to memory of 2580 2724 msdcsc.exe notepad.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\ece22edeb630f6ea780e2ddc01fa0005_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\ece22edeb630f6ea780e2ddc01fa0005_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2276 -
C:\Users\Admin\AppData\Local\Temp\Stage2.exe"C:\Users\Admin\AppData\Local\Temp\Stage2.exe" x -y -oC:\Users\Admin\AppData\Local\Temp -pxnq8rPMxVI87ciGwWJHxRTy3iauHcIirteOOELv3B5vkS9kJoHBUAahY1dWxj8yA2⤵
- Executes dropped EXE
PID:2012 -
C:\Users\Admin\AppData\Local\Temp\Stage1.exe"C:\Users\Admin\AppData\Local\Temp\Stage1.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2716 -
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Windows\SysWOW64\notepad.exenotepad4⤵PID:2580
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\Stage1.exeFilesize
758KB
MD57c303d83d9e98481a51fbb713d9167ad
SHA141161fa33b57592a45283f49ce8639aeddc9505f
SHA25603f99cbd454ab8b5d2fab9720f0280f4ebc7ff3d011278cac422894263f300fb
SHA512013c590078de3830b6425ee45218e93739470b14c33538b25740a8b32b2054ba1efda306703d2a17429619b72774c789679a348082d847aaee09916ec0146473
-
\Users\Admin\AppData\Local\Temp\Stage2.exeFilesize
376KB
MD5ba4812abf562446e2bcda7f952a89593
SHA1d6ce12b940c0564cbe6880947babf98caa818945
SHA25634535400b392d926fa1f5ed60a768659afd57d33b969676a9ca6675961063127
SHA512d44f7445a42a17f9ab7f662222a53442317eb8c64d6516ece6881b6c923360880e068708da84a9d1add66498b7cc8fe7c9a320b9bdd6a7a0f2dcd3d5f3a5f38b
-
memory/2012-16-0x0000000000400000-0x0000000000443000-memory.dmpFilesize
268KB
-
memory/2276-0-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/2276-5-0x0000000002A60000-0x0000000002AA3000-memory.dmpFilesize
268KB
-
memory/2276-11-0x0000000002A60000-0x0000000002AA3000-memory.dmpFilesize
268KB
-
memory/2276-34-0x0000000000400000-0x0000000000424000-memory.dmpFilesize
144KB
-
memory/2580-35-0x0000000000080000-0x0000000000081000-memory.dmpFilesize
4KB
-
memory/2716-21-0x00000000002E0000-0x00000000002E1000-memory.dmpFilesize
4KB
-
memory/2716-31-0x0000000000400000-0x00000000004CD000-memory.dmpFilesize
820KB
-
memory/2724-33-0x0000000000260000-0x0000000000261000-memory.dmpFilesize
4KB
-
memory/2724-57-0x0000000000400000-0x00000000004CD000-memory.dmpFilesize
820KB