Analysis
-
max time kernel
149s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
16-04-2024 10:16
Static task
static1
Behavioral task
behavioral1
Sample
f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe
-
Size
663KB
-
MD5
f347051180559aa6ecaab96f4d1c94cd
-
SHA1
dd5c5e32e585f5536e76784c7d5f8fa73e55f33a
-
SHA256
107b9c46e78bb8a802029dd715bee34ca3fa31e1bae428d7e149dd10e8f38e3a
-
SHA512
cc019aa0769463a492089fb209672b222ff2c8aacec6672938979013f22b03e86765f1509f7ba28c6cc3dec51e19c2bae3573f4171e0b7d431a171dd2e42b241
-
SSDEEP
12288:kcuhZ45W60V6ttoK+ouEm1/QxeCOEuOcq1/rNumqWG5/21EB/Q:kRhX6tFhuEG/QTOEuuNIWouixQ
Malware Config
Extracted
darkcomet
Windows
baygoog.duckdns.org:1024
DC_MUTEX-AVCEZSX
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
ZrKtz3mldrvg
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicrosoftUpdater
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
vbc.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" vbc.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid Process 2508 msdcsc.exe -
Loads dropped DLL 1 IoCs
Processes:
vbc.exepid Process 2556 vbc.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
vbc.exevbc.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftUpdater = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" vbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2297530677-1229052932-2803917579-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicrosoftUpdater = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" vbc.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exedescription pid Process procid_target PID 2732 set thread context of 2556 2732 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe 31 PID 2732 set thread context of 2624 2732 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe 34 -
Suspicious behavior: EnumeratesProcesses 10 IoCs
Processes:
f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exepid Process 2732 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe 2732 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe 2732 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe 2732 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe 2732 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe 2732 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe 2732 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe 2732 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe 2732 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe 2732 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
vbc.exepid Process 2624 vbc.exe -
Suspicious use of AdjustPrivilegeToken 47 IoCs
Processes:
f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exevbc.exevbc.exedescription pid Process Token: SeDebugPrivilege 2732 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2556 vbc.exe Token: SeSecurityPrivilege 2556 vbc.exe Token: SeTakeOwnershipPrivilege 2556 vbc.exe Token: SeLoadDriverPrivilege 2556 vbc.exe Token: SeSystemProfilePrivilege 2556 vbc.exe Token: SeSystemtimePrivilege 2556 vbc.exe Token: SeProfSingleProcessPrivilege 2556 vbc.exe Token: SeIncBasePriorityPrivilege 2556 vbc.exe Token: SeCreatePagefilePrivilege 2556 vbc.exe Token: SeBackupPrivilege 2556 vbc.exe Token: SeRestorePrivilege 2556 vbc.exe Token: SeShutdownPrivilege 2556 vbc.exe Token: SeDebugPrivilege 2556 vbc.exe Token: SeSystemEnvironmentPrivilege 2556 vbc.exe Token: SeChangeNotifyPrivilege 2556 vbc.exe Token: SeRemoteShutdownPrivilege 2556 vbc.exe Token: SeUndockPrivilege 2556 vbc.exe Token: SeManageVolumePrivilege 2556 vbc.exe Token: SeImpersonatePrivilege 2556 vbc.exe Token: SeCreateGlobalPrivilege 2556 vbc.exe Token: 33 2556 vbc.exe Token: 34 2556 vbc.exe Token: 35 2556 vbc.exe Token: SeIncreaseQuotaPrivilege 2624 vbc.exe Token: SeSecurityPrivilege 2624 vbc.exe Token: SeTakeOwnershipPrivilege 2624 vbc.exe Token: SeLoadDriverPrivilege 2624 vbc.exe Token: SeSystemProfilePrivilege 2624 vbc.exe Token: SeSystemtimePrivilege 2624 vbc.exe Token: SeProfSingleProcessPrivilege 2624 vbc.exe Token: SeIncBasePriorityPrivilege 2624 vbc.exe Token: SeCreatePagefilePrivilege 2624 vbc.exe Token: SeBackupPrivilege 2624 vbc.exe Token: SeRestorePrivilege 2624 vbc.exe Token: SeShutdownPrivilege 2624 vbc.exe Token: SeDebugPrivilege 2624 vbc.exe Token: SeSystemEnvironmentPrivilege 2624 vbc.exe Token: SeChangeNotifyPrivilege 2624 vbc.exe Token: SeRemoteShutdownPrivilege 2624 vbc.exe Token: SeUndockPrivilege 2624 vbc.exe Token: SeManageVolumePrivilege 2624 vbc.exe Token: SeImpersonatePrivilege 2624 vbc.exe Token: SeCreateGlobalPrivilege 2624 vbc.exe Token: 33 2624 vbc.exe Token: 34 2624 vbc.exe Token: 35 2624 vbc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
vbc.exepid Process 2624 vbc.exe -
Suspicious use of WriteProcessMemory 61 IoCs
Processes:
f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.execsc.exevbc.exevbc.exedescription pid Process procid_target PID 2732 wrote to memory of 2652 2732 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe 28 PID 2732 wrote to memory of 2652 2732 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe 28 PID 2732 wrote to memory of 2652 2732 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe 28 PID 2732 wrote to memory of 2652 2732 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe 28 PID 2652 wrote to memory of 2564 2652 csc.exe 30 PID 2652 wrote to memory of 2564 2652 csc.exe 30 PID 2652 wrote to memory of 2564 2652 csc.exe 30 PID 2652 wrote to memory of 2564 2652 csc.exe 30 PID 2732 wrote to memory of 2556 2732 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe 31 PID 2732 wrote to memory of 2556 2732 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe 31 PID 2732 wrote to memory of 2556 2732 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe 31 PID 2732 wrote to memory of 2556 2732 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe 31 PID 2732 wrote to memory of 2556 2732 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe 31 PID 2732 wrote to memory of 2556 2732 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe 31 PID 2732 wrote to memory of 2556 2732 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe 31 PID 2732 wrote to memory of 2556 2732 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe 31 PID 2732 wrote to memory of 2556 2732 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe 31 PID 2732 wrote to memory of 2556 2732 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe 31 PID 2732 wrote to memory of 2556 2732 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe 31 PID 2732 wrote to memory of 2556 2732 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe 31 PID 2732 wrote to memory of 2556 2732 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe 31 PID 2556 wrote to memory of 2508 2556 vbc.exe 32 PID 2556 wrote to memory of 2508 2556 vbc.exe 32 PID 2556 wrote to memory of 2508 2556 vbc.exe 32 PID 2556 wrote to memory of 2508 2556 vbc.exe 32 PID 2732 wrote to memory of 2624 2732 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe 34 PID 2732 wrote to memory of 2624 2732 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe 34 PID 2732 wrote to memory of 2624 2732 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe 34 PID 2732 wrote to memory of 2624 2732 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe 34 PID 2732 wrote to memory of 2624 2732 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe 34 PID 2732 wrote to memory of 2624 2732 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe 34 PID 2732 wrote to memory of 2624 2732 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe 34 PID 2732 wrote to memory of 2624 2732 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe 34 PID 2732 wrote to memory of 2624 2732 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe 34 PID 2732 wrote to memory of 2624 2732 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe 34 PID 2732 wrote to memory of 2624 2732 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe 34 PID 2732 wrote to memory of 2624 2732 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe 34 PID 2732 wrote to memory of 2624 2732 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe 34 PID 2624 wrote to memory of 1940 2624 vbc.exe 35 PID 2624 wrote to memory of 1940 2624 vbc.exe 35 PID 2624 wrote to memory of 1940 2624 vbc.exe 35 PID 2624 wrote to memory of 1940 2624 vbc.exe 35 PID 2624 wrote to memory of 1940 2624 vbc.exe 35 PID 2624 wrote to memory of 1940 2624 vbc.exe 35 PID 2624 wrote to memory of 1940 2624 vbc.exe 35 PID 2624 wrote to memory of 1940 2624 vbc.exe 35 PID 2624 wrote to memory of 1940 2624 vbc.exe 35 PID 2624 wrote to memory of 1940 2624 vbc.exe 35 PID 2624 wrote to memory of 1940 2624 vbc.exe 35 PID 2624 wrote to memory of 1940 2624 vbc.exe 35 PID 2624 wrote to memory of 1940 2624 vbc.exe 35 PID 2624 wrote to memory of 1940 2624 vbc.exe 35 PID 2624 wrote to memory of 1940 2624 vbc.exe 35 PID 2624 wrote to memory of 1940 2624 vbc.exe 35 PID 2624 wrote to memory of 1940 2624 vbc.exe 35 PID 2624 wrote to memory of 1940 2624 vbc.exe 35 PID 2624 wrote to memory of 1940 2624 vbc.exe 35 PID 2624 wrote to memory of 1940 2624 vbc.exe 35 PID 2624 wrote to memory of 1940 2624 vbc.exe 35 PID 2624 wrote to memory of 1940 2624 vbc.exe 35 PID 2624 wrote to memory of 1940 2624 vbc.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\vngbkom8.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2652 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES122B.tmp" "c:\Users\Admin\AppData\Local\Temp\CSC122A.tmp"3⤵PID:2564
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"2⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"3⤵
- Executes dropped EXE
PID:2508
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Windows\SysWOW64\notepad.exenotepad3⤵PID:1940
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD52f2f176f2606615fd29471e89294e34a
SHA183eeaf347d3ac7e1d3a579a3057040fb7dc7776f
SHA256741ab95482d19b54d87a62583c2db70303f9dd1c3dffaccedc22ebe4a9be45ab
SHA5120cd9fc1603aea697f8d33fad093b3f16648fdddcd61126ea2a77dfca81f6dc32d90a663453cd27eedcbdd6dc6efe987a7e0e452952c712a8a2a8602718cd8fef
-
Filesize
1.3MB
MD55d8a9ce504c6c2652212eb0925d1c647
SHA1a356fddff1f71e81cea02f988a4f732ae5bdd673
SHA25600f7f2e07e8061b8377fce1146d14588a254ca7fa7d5c56194063aeead3eb000
SHA512756be9a6cbbe3353709c08f4152e95e6f17067642bdb209185423bbe098c8a580d824a50272dc0b51d3ca35436170e0ea12118eaf9f01084c6665d45a85e0d1c
-
Filesize
652B
MD5cc238eee04818177fbf964230a0843ce
SHA117a2294a93ebe06f93c014fe0d67cdb333b88c23
SHA25609847d78e993232686b74da57f2cca826ab00c5e2cda0ee95ced82e2294f98b4
SHA512c0bc060e500baecca4c03a2be9f03fef03b261a9c016916c9024d6892423e0b68ac21798f5d682a3a6bf2994861ba36f5e2ade99d63752f274163054058fd480
-
Filesize
648KB
MD5f60faae124c353a55b1386bf79787f59
SHA1f68ce59b973bd6dd6a6c79be1064549cc479a76d
SHA2563714859cb4b651148db812400924c6feb2b7523759e6771d90175ea8b210471a
SHA512b82ce427887271986fcd52b02e29bbeb9f108439d39aef6b65dd21a09743e672a49961922d957550163cb1350e92e6c479f1e030fd0fcb8f4a6088371497a30c
-
Filesize
196B
MD5e11d87f86d9d8f92b6362e40796eb5fd
SHA14f35cb502ba765b38f40abe0b0ad69a0a2477d40
SHA256dbbb808d7feb1a24f35fc6b7f9c39e88cf3fedd69312338d1aa0edb1cc8d9984
SHA512adbbea0bd523e659e636855f8ada69a536e0364368a4142000c31282b3d7c2841fc5d82423c8e6c33634c10cd7473edd42579bee78be47582addce36b3a4186c
-
Filesize
1.1MB
MD534aa912defa18c2c129f1e09d75c1d7e
SHA19c3046324657505a30ecd9b1fdb46c05bde7d470
SHA2566df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386
SHA512d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98