Analysis
-
max time kernel
151s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
16-04-2024 10:16
Static task
static1
Behavioral task
behavioral1
Sample
f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe
-
Size
663KB
-
MD5
f347051180559aa6ecaab96f4d1c94cd
-
SHA1
dd5c5e32e585f5536e76784c7d5f8fa73e55f33a
-
SHA256
107b9c46e78bb8a802029dd715bee34ca3fa31e1bae428d7e149dd10e8f38e3a
-
SHA512
cc019aa0769463a492089fb209672b222ff2c8aacec6672938979013f22b03e86765f1509f7ba28c6cc3dec51e19c2bae3573f4171e0b7d431a171dd2e42b241
-
SSDEEP
12288:kcuhZ45W60V6ttoK+ouEm1/QxeCOEuOcq1/rNumqWG5/21EB/Q:kRhX6tFhuEG/QTOEuuNIWouixQ
Malware Config
Extracted
darkcomet
Windows
baygoog.duckdns.org:1024
DC_MUTEX-AVCEZSX
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
ZrKtz3mldrvg
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicrosoftUpdater
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
vbc.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" vbc.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid Process 1428 msdcsc.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
vbc.exevbc.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftUpdater = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" vbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3808065738-1666277613-1125846146-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicrosoftUpdater = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" vbc.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exedescription pid Process procid_target PID 4820 set thread context of 4440 4820 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe 95 PID 4820 set thread context of 2400 4820 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe 105 -
Suspicious behavior: EnumeratesProcesses 14 IoCs
Processes:
f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exepid Process 4820 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe 4820 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe 4820 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe 4820 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe 4820 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe 4820 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe 4820 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe 4820 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe 4820 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe 4820 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe 4820 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe 4820 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe 4820 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe 4820 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
vbc.exepid Process 2400 vbc.exe -
Suspicious use of AdjustPrivilegeToken 49 IoCs
Processes:
f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exevbc.exevbc.exedescription pid Process Token: SeDebugPrivilege 4820 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 4440 vbc.exe Token: SeSecurityPrivilege 4440 vbc.exe Token: SeTakeOwnershipPrivilege 4440 vbc.exe Token: SeLoadDriverPrivilege 4440 vbc.exe Token: SeSystemProfilePrivilege 4440 vbc.exe Token: SeSystemtimePrivilege 4440 vbc.exe Token: SeProfSingleProcessPrivilege 4440 vbc.exe Token: SeIncBasePriorityPrivilege 4440 vbc.exe Token: SeCreatePagefilePrivilege 4440 vbc.exe Token: SeBackupPrivilege 4440 vbc.exe Token: SeRestorePrivilege 4440 vbc.exe Token: SeShutdownPrivilege 4440 vbc.exe Token: SeDebugPrivilege 4440 vbc.exe Token: SeSystemEnvironmentPrivilege 4440 vbc.exe Token: SeChangeNotifyPrivilege 4440 vbc.exe Token: SeRemoteShutdownPrivilege 4440 vbc.exe Token: SeUndockPrivilege 4440 vbc.exe Token: SeManageVolumePrivilege 4440 vbc.exe Token: SeImpersonatePrivilege 4440 vbc.exe Token: SeCreateGlobalPrivilege 4440 vbc.exe Token: 33 4440 vbc.exe Token: 34 4440 vbc.exe Token: 35 4440 vbc.exe Token: 36 4440 vbc.exe Token: SeIncreaseQuotaPrivilege 2400 vbc.exe Token: SeSecurityPrivilege 2400 vbc.exe Token: SeTakeOwnershipPrivilege 2400 vbc.exe Token: SeLoadDriverPrivilege 2400 vbc.exe Token: SeSystemProfilePrivilege 2400 vbc.exe Token: SeSystemtimePrivilege 2400 vbc.exe Token: SeProfSingleProcessPrivilege 2400 vbc.exe Token: SeIncBasePriorityPrivilege 2400 vbc.exe Token: SeCreatePagefilePrivilege 2400 vbc.exe Token: SeBackupPrivilege 2400 vbc.exe Token: SeRestorePrivilege 2400 vbc.exe Token: SeShutdownPrivilege 2400 vbc.exe Token: SeDebugPrivilege 2400 vbc.exe Token: SeSystemEnvironmentPrivilege 2400 vbc.exe Token: SeChangeNotifyPrivilege 2400 vbc.exe Token: SeRemoteShutdownPrivilege 2400 vbc.exe Token: SeUndockPrivilege 2400 vbc.exe Token: SeManageVolumePrivilege 2400 vbc.exe Token: SeImpersonatePrivilege 2400 vbc.exe Token: SeCreateGlobalPrivilege 2400 vbc.exe Token: 33 2400 vbc.exe Token: 34 2400 vbc.exe Token: 35 2400 vbc.exe Token: 36 2400 vbc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
vbc.exepid Process 2400 vbc.exe -
Suspicious use of WriteProcessMemory 59 IoCs
Processes:
f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.execsc.exevbc.exevbc.exedescription pid Process procid_target PID 4820 wrote to memory of 2428 4820 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe 92 PID 4820 wrote to memory of 2428 4820 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe 92 PID 4820 wrote to memory of 2428 4820 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe 92 PID 2428 wrote to memory of 3800 2428 csc.exe 94 PID 2428 wrote to memory of 3800 2428 csc.exe 94 PID 2428 wrote to memory of 3800 2428 csc.exe 94 PID 4820 wrote to memory of 4440 4820 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe 95 PID 4820 wrote to memory of 4440 4820 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe 95 PID 4820 wrote to memory of 4440 4820 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe 95 PID 4820 wrote to memory of 4440 4820 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe 95 PID 4820 wrote to memory of 4440 4820 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe 95 PID 4820 wrote to memory of 4440 4820 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe 95 PID 4820 wrote to memory of 4440 4820 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe 95 PID 4820 wrote to memory of 4440 4820 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe 95 PID 4820 wrote to memory of 4440 4820 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe 95 PID 4820 wrote to memory of 4440 4820 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe 95 PID 4820 wrote to memory of 4440 4820 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe 95 PID 4820 wrote to memory of 4440 4820 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe 95 PID 4820 wrote to memory of 4440 4820 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe 95 PID 4820 wrote to memory of 4440 4820 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe 95 PID 4440 wrote to memory of 1428 4440 vbc.exe 100 PID 4440 wrote to memory of 1428 4440 vbc.exe 100 PID 4440 wrote to memory of 1428 4440 vbc.exe 100 PID 4820 wrote to memory of 2400 4820 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe 105 PID 4820 wrote to memory of 2400 4820 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe 105 PID 4820 wrote to memory of 2400 4820 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe 105 PID 4820 wrote to memory of 2400 4820 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe 105 PID 4820 wrote to memory of 2400 4820 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe 105 PID 4820 wrote to memory of 2400 4820 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe 105 PID 4820 wrote to memory of 2400 4820 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe 105 PID 4820 wrote to memory of 2400 4820 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe 105 PID 4820 wrote to memory of 2400 4820 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe 105 PID 4820 wrote to memory of 2400 4820 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe 105 PID 4820 wrote to memory of 2400 4820 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe 105 PID 4820 wrote to memory of 2400 4820 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe 105 PID 4820 wrote to memory of 2400 4820 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe 105 PID 4820 wrote to memory of 2400 4820 f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe 105 PID 2400 wrote to memory of 4992 2400 vbc.exe 106 PID 2400 wrote to memory of 4992 2400 vbc.exe 106 PID 2400 wrote to memory of 4992 2400 vbc.exe 106 PID 2400 wrote to memory of 4992 2400 vbc.exe 106 PID 2400 wrote to memory of 4992 2400 vbc.exe 106 PID 2400 wrote to memory of 4992 2400 vbc.exe 106 PID 2400 wrote to memory of 4992 2400 vbc.exe 106 PID 2400 wrote to memory of 4992 2400 vbc.exe 106 PID 2400 wrote to memory of 4992 2400 vbc.exe 106 PID 2400 wrote to memory of 4992 2400 vbc.exe 106 PID 2400 wrote to memory of 4992 2400 vbc.exe 106 PID 2400 wrote to memory of 4992 2400 vbc.exe 106 PID 2400 wrote to memory of 4992 2400 vbc.exe 106 PID 2400 wrote to memory of 4992 2400 vbc.exe 106 PID 2400 wrote to memory of 4992 2400 vbc.exe 106 PID 2400 wrote to memory of 4992 2400 vbc.exe 106 PID 2400 wrote to memory of 4992 2400 vbc.exe 106 PID 2400 wrote to memory of 4992 2400 vbc.exe 106 PID 2400 wrote to memory of 4992 2400 vbc.exe 106 PID 2400 wrote to memory of 4992 2400 vbc.exe 106 PID 2400 wrote to memory of 4992 2400 vbc.exe 106 PID 2400 wrote to memory of 4992 2400 vbc.exe 106
Processes
-
C:\Users\Admin\AppData\Local\Temp\f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f347051180559aa6ecaab96f4d1c94cd_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4820 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\csc.exe" /noconfig /fullpaths @"C:\Users\Admin\AppData\Local\Temp\tz91ld2s.cmdline"2⤵
- Suspicious use of WriteProcessMemory
PID:2428 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RESC9E.tmp" "c:\Users\Admin\AppData\Local\Temp\CSCC8E.tmp"3⤵PID:3800
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"2⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4440 -
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"3⤵
- Executes dropped EXE
PID:1428
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"2⤵
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Windows\SysWOW64\notepad.exenotepad3⤵PID:4992
-
-
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4040 --field-trial-handle=2328,i,5873823382323802923,13134441441264702821,262144 --variations-seed-version /prefetch:81⤵PID:2964
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5efdfdfa116f2f0291e9bb3e4a5bfd3f1
SHA1a0880ea9fcb4ce0266e91e2a2d8320bb57093667
SHA256b61cc13416294e3aea07be9ae6315a96bff60365ad1b84414e381a5c692efa07
SHA51277d3c1206d1139ef142d9c3d7bb269e4fe12685622897ae1c1622aef0a18a537b3cc28036864ab14336b0a5f9f6ff1ee3b87c2e70834c4107a089b4668cedf3e
-
Filesize
1.3MB
MD561c88755cb97e4104b17db6f2b962a6a
SHA1ce2db5118748ec2b09aab465ff209d4332854a7d
SHA256aef732ad105beb8d98f5c474aa1dd7ba85e887b310cb170d5df7317453e592d0
SHA5126189f8515b274dfb4d811d1ba6407c76fc139aac0876976c75919cdd9b6fe38d5d99b12f0d530d7397eaa51bb5356e4fbad9573f764b36c1c05bd9b3406115e2
-
Filesize
1.1MB
MD5d881de17aa8f2e2c08cbb7b265f928f9
SHA108936aebc87decf0af6e8eada191062b5e65ac2a
SHA256b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0
SHA5125f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34
-
Filesize
652B
MD5a9707076eca1612fd15f4d0c5be08459
SHA10176c29718184a72c9c7f204d230582a87a9124f
SHA25604562f826b0e53357913ac3bc31bf19d6b764175ae29549228cf1386b8e4d7ca
SHA512f9219479ec2bd80552ce232d582b66cd18e5237e497c1843c88dbfbb9feff437c07c8e804c6ecf957a8df068744858a3e3bbc69b0e293f8c98ac5d18631caaf1
-
Filesize
648KB
MD5f60faae124c353a55b1386bf79787f59
SHA1f68ce59b973bd6dd6a6c79be1064549cc479a76d
SHA2563714859cb4b651148db812400924c6feb2b7523759e6771d90175ea8b210471a
SHA512b82ce427887271986fcd52b02e29bbeb9f108439d39aef6b65dd21a09743e672a49961922d957550163cb1350e92e6c479f1e030fd0fcb8f4a6088371497a30c
-
Filesize
195B
MD5aaa465e28dbeefb05c04a5958be3c4ff
SHA1928255895a383cdcf1a7a98b383a69825f1deaa5
SHA256a414c4cfe75c474faf2c220c0d99f2bd43a2551ac529f0060b1fa14f6604116c
SHA5121a1e58b5f29ed3e6b6b5df0eea8261c891e5a3cb98e7f550b2f4ad79bf027b9842db68b6244bc20353b60f16836d85d930c70920e46c65b035582222bb3161da