Analysis
-
max time kernel
143s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240412-en -
resource tags
arch:x64arch:x86image:win10v2004-20240412-enlocale:en-usos:windows10-2004-x64system -
submitted
15-04-2024 17:29
Static task
static1
Behavioral task
behavioral1
Sample
f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe
Resource
win10v2004-20240412-en
General
-
Target
f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe
-
Size
696KB
-
MD5
f19963d3be14b2814ebb426d696946d1
-
SHA1
b59615351092d16bf8351770e5babf14b9e98773
-
SHA256
00c74003c836810249535540ca35991ed322257b34b238815c45ad7c5b798379
-
SHA512
6dc3f6bfa3fd6f065496392ff753b72e47d6440e56d74e669faa963c7d0064655a80e967bdd47c6cf9ff197f7917285988f46e24875394897249dea3523b015a
-
SSDEEP
12288:8Bw47KoNeh77kTqnHu0EVQwmtKJZb5UsdRr3cPYgtjR+SI:8Bw2khAqMWoh5hV2jR+7
Malware Config
Extracted
darkcomet
Guest16
lujadex.no-ip.org:5250
DC_MUTEX-TSV5AGW
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
2JDQ9S3gs62T
-
install
true
-
offline_keylogger
true
-
password
my974637
-
persistence
false
-
reg_key
WinUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\Control Panel\International\Geo\Nation f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
Processes:
msdcsc.exemsdcsc.exepid process 1740 msdcsc.exe 4068 msdcsc.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exef19963d3be14b2814ebb426d696946d1_JaffaCakes118.exemsdcsc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\name_me = "C:\\Users\\Admin\\AppData\\Roaming\\test.exe" f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-553605503-2331009851-2137262461-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\name_me = "C:\\Users\\Admin\\AppData\\Roaming\\test.exe" msdcsc.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exemsdcsc.exedescription pid process target process PID 3824 set thread context of 3588 3824 f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe PID 1740 set thread context of 4068 1740 msdcsc.exe msdcsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 3588 f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe Token: SeSecurityPrivilege 3588 f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 3588 f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe Token: SeLoadDriverPrivilege 3588 f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe Token: SeSystemProfilePrivilege 3588 f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe Token: SeSystemtimePrivilege 3588 f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 3588 f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 3588 f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 3588 f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe Token: SeBackupPrivilege 3588 f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe Token: SeRestorePrivilege 3588 f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe Token: SeShutdownPrivilege 3588 f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe Token: SeDebugPrivilege 3588 f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 3588 f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 3588 f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 3588 f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe Token: SeUndockPrivilege 3588 f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe Token: SeManageVolumePrivilege 3588 f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe Token: SeImpersonatePrivilege 3588 f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 3588 f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe Token: 33 3588 f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe Token: 34 3588 f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe Token: 35 3588 f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe Token: 36 3588 f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 4068 msdcsc.exe Token: SeSecurityPrivilege 4068 msdcsc.exe Token: SeTakeOwnershipPrivilege 4068 msdcsc.exe Token: SeLoadDriverPrivilege 4068 msdcsc.exe Token: SeSystemProfilePrivilege 4068 msdcsc.exe Token: SeSystemtimePrivilege 4068 msdcsc.exe Token: SeProfSingleProcessPrivilege 4068 msdcsc.exe Token: SeIncBasePriorityPrivilege 4068 msdcsc.exe Token: SeCreatePagefilePrivilege 4068 msdcsc.exe Token: SeBackupPrivilege 4068 msdcsc.exe Token: SeRestorePrivilege 4068 msdcsc.exe Token: SeShutdownPrivilege 4068 msdcsc.exe Token: SeDebugPrivilege 4068 msdcsc.exe Token: SeSystemEnvironmentPrivilege 4068 msdcsc.exe Token: SeChangeNotifyPrivilege 4068 msdcsc.exe Token: SeRemoteShutdownPrivilege 4068 msdcsc.exe Token: SeUndockPrivilege 4068 msdcsc.exe Token: SeManageVolumePrivilege 4068 msdcsc.exe Token: SeImpersonatePrivilege 4068 msdcsc.exe Token: SeCreateGlobalPrivilege 4068 msdcsc.exe Token: 33 4068 msdcsc.exe Token: 34 4068 msdcsc.exe Token: 35 4068 msdcsc.exe Token: 36 4068 msdcsc.exe -
Suspicious use of SetWindowsHookEx 5 IoCs
Processes:
f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exemsdcsc.exemsdcsc.exepid process 3824 f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe 3824 f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe 1740 msdcsc.exe 1740 msdcsc.exe 4068 msdcsc.exe -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exef19963d3be14b2814ebb426d696946d1_JaffaCakes118.exemsdcsc.exedescription pid process target process PID 3824 wrote to memory of 3588 3824 f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe PID 3824 wrote to memory of 3588 3824 f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe PID 3824 wrote to memory of 3588 3824 f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe PID 3824 wrote to memory of 3588 3824 f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe PID 3824 wrote to memory of 3588 3824 f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe PID 3824 wrote to memory of 3588 3824 f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe PID 3824 wrote to memory of 3588 3824 f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe PID 3824 wrote to memory of 3588 3824 f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe PID 3824 wrote to memory of 3588 3824 f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe PID 3824 wrote to memory of 3588 3824 f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe PID 3824 wrote to memory of 3588 3824 f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe PID 3824 wrote to memory of 3588 3824 f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe PID 3824 wrote to memory of 3588 3824 f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe PID 3824 wrote to memory of 3588 3824 f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe PID 3588 wrote to memory of 1740 3588 f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe msdcsc.exe PID 3588 wrote to memory of 1740 3588 f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe msdcsc.exe PID 3588 wrote to memory of 1740 3588 f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe msdcsc.exe PID 1740 wrote to memory of 4068 1740 msdcsc.exe msdcsc.exe PID 1740 wrote to memory of 4068 1740 msdcsc.exe msdcsc.exe PID 1740 wrote to memory of 4068 1740 msdcsc.exe msdcsc.exe PID 1740 wrote to memory of 4068 1740 msdcsc.exe msdcsc.exe PID 1740 wrote to memory of 4068 1740 msdcsc.exe msdcsc.exe PID 1740 wrote to memory of 4068 1740 msdcsc.exe msdcsc.exe PID 1740 wrote to memory of 4068 1740 msdcsc.exe msdcsc.exe PID 1740 wrote to memory of 4068 1740 msdcsc.exe msdcsc.exe PID 1740 wrote to memory of 4068 1740 msdcsc.exe msdcsc.exe PID 1740 wrote to memory of 4068 1740 msdcsc.exe msdcsc.exe PID 1740 wrote to memory of 4068 1740 msdcsc.exe msdcsc.exe PID 1740 wrote to memory of 4068 1740 msdcsc.exe msdcsc.exe PID 1740 wrote to memory of 4068 1740 msdcsc.exe msdcsc.exe PID 1740 wrote to memory of 4068 1740 msdcsc.exe msdcsc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f19963d3be14b2814ebb426d696946d1_JaffaCakes118.exe"2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"4⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exeFilesize
696KB
MD5f19963d3be14b2814ebb426d696946d1
SHA1b59615351092d16bf8351770e5babf14b9e98773
SHA25600c74003c836810249535540ca35991ed322257b34b238815c45ad7c5b798379
SHA5126dc3f6bfa3fd6f065496392ff753b72e47d6440e56d74e669faa963c7d0064655a80e967bdd47c6cf9ff197f7917285988f46e24875394897249dea3523b015a
-
C:\Users\Admin\AppData\Roaming\test.exeFilesize
696KB
MD526dcd20b3c031d1cbe330d3bcbbf5ca2
SHA1b81b9dff59f38f9f48fd49050b89412aa2a2d1f8
SHA2565a1306015fd0358c0f8459bd12ba885190d9576fe8cea22f539b6255c1fb185e
SHA512571b89bb8a4923eb2c84ad8876b36875d2506df43a1adfec38f0bdaae6e9475c809a10d5be6f87aa724e44da7dcae49f0a0006fbb956a7690fb02c0aa111ab6b
-
memory/1740-28-0x0000000000400000-0x00000000004AE000-memory.dmpFilesize
696KB
-
memory/1740-23-0x0000000000400000-0x00000000004AE000-memory.dmpFilesize
696KB
-
memory/3588-7-0x00000000023D0000-0x00000000023D1000-memory.dmpFilesize
4KB
-
memory/3588-6-0x0000000000400000-0x00000000004BE000-memory.dmpFilesize
760KB
-
memory/3588-5-0x0000000000400000-0x00000000004BE000-memory.dmpFilesize
760KB
-
memory/3588-20-0x0000000000400000-0x00000000004BE000-memory.dmpFilesize
760KB
-
memory/3588-3-0x0000000000400000-0x00000000004BE000-memory.dmpFilesize
760KB
-
memory/3588-24-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/3588-2-0x0000000000400000-0x00000000004BE000-memory.dmpFilesize
760KB
-
memory/3824-1-0x0000000000400000-0x00000000004AE000-memory.dmpFilesize
696KB
-
memory/3824-4-0x0000000000400000-0x00000000004AE000-memory.dmpFilesize
696KB
-
memory/4068-30-0x0000000000400000-0x00000000004BE000-memory.dmpFilesize
760KB
-
memory/4068-31-0x0000000000400000-0x00000000004BE000-memory.dmpFilesize
760KB
-
memory/4068-33-0x00000000007D0000-0x00000000007D1000-memory.dmpFilesize
4KB
-
memory/4068-32-0x0000000000400000-0x00000000004BE000-memory.dmpFilesize
760KB
-
memory/4068-34-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/4068-35-0x0000000000400000-0x00000000004BE000-memory.dmpFilesize
760KB
-
memory/4068-37-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/4068-39-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/4068-43-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/4068-45-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB
-
memory/4068-47-0x0000000000400000-0x00000000004B5000-memory.dmpFilesize
724KB