Analysis
-
max time kernel
149s -
max time network
144s -
platform
windows7_x64 -
resource
win7-20240220-en -
resource tags
arch:x64arch:x86image:win7-20240220-enlocale:en-usos:windows7-x64system -
submitted
02-05-2024 00:30
Behavioral task
behavioral1
Sample
0cfbd4e91dea075e7f3731ed5116c945_JaffaCakes118.exe
Resource
win7-20240220-en
General
-
Target
0cfbd4e91dea075e7f3731ed5116c945_JaffaCakes118.exe
-
Size
1.3MB
-
MD5
0cfbd4e91dea075e7f3731ed5116c945
-
SHA1
ab10a58d6cdfa713405c6f3ea32bcea5fb01567a
-
SHA256
e01c2cb5400fc2b1739f6705ecd0b4ce42c7339f0101c4d92d40ec2db07a0956
-
SHA512
0bfc21a4c6b54433b91d37036f2d72f51cdce0edfa7ab3422635f6b4925c142a6c156a0fb1151006f1de1c19460e1e47c46a61ec5418ce8c109b4a1b932407f7
-
SSDEEP
24576:vZ1xuVVjfFoynPaVBUR8f+kN10EByZ1xuVVjfFoynPaVBUR8f+kN10EB8:RQDgok30VQDgok30L
Malware Config
Extracted
darkcomet
Áàòàðåéêà
178.46.120.54:1604
DC_MUTEX-NSKK5Q3
-
InstallPath
APP#\msdcsc.exe
-
gencode
LasvCxAaw4RN
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
Virus.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\APP#\\msdcsc.exe" Virus.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
msdcsc.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" msdcsc.exe -
Processes:
msdcsc.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid Process 292 attrib.exe 2408 attrib.exe -
Drops startup file 2 IoCs
Processes:
0cfbd4e91dea075e7f3731ed5116c945_JaffaCakes118.exeattrib.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Virus.exe 0cfbd4e91dea075e7f3731ed5116c945_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Virus.exe attrib.exe -
Executes dropped EXE 3 IoCs
Processes:
Virus.exeÌàêðîñ.exemsdcsc.exepid Process 3004 Virus.exe 2636 Ìàêðîñ.exe 2444 msdcsc.exe -
Loads dropped DLL 6 IoCs
Processes:
0cfbd4e91dea075e7f3731ed5116c945_JaffaCakes118.exeVirus.exepid Process 2872 0cfbd4e91dea075e7f3731ed5116c945_JaffaCakes118.exe 2872 0cfbd4e91dea075e7f3731ed5116c945_JaffaCakes118.exe 2872 0cfbd4e91dea075e7f3731ed5116c945_JaffaCakes118.exe 2872 0cfbd4e91dea075e7f3731ed5116c945_JaffaCakes118.exe 3004 Virus.exe 3004 Virus.exe -
Processes:
msdcsc.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Virus.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2721934792-624042501-2768869379-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\APP#\\msdcsc.exe" Virus.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msdcsc.exepid Process 2444 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
Virus.exemsdcsc.exedescription pid Process Token: SeIncreaseQuotaPrivilege 3004 Virus.exe Token: SeSecurityPrivilege 3004 Virus.exe Token: SeTakeOwnershipPrivilege 3004 Virus.exe Token: SeLoadDriverPrivilege 3004 Virus.exe Token: SeSystemProfilePrivilege 3004 Virus.exe Token: SeSystemtimePrivilege 3004 Virus.exe Token: SeProfSingleProcessPrivilege 3004 Virus.exe Token: SeIncBasePriorityPrivilege 3004 Virus.exe Token: SeCreatePagefilePrivilege 3004 Virus.exe Token: SeBackupPrivilege 3004 Virus.exe Token: SeRestorePrivilege 3004 Virus.exe Token: SeShutdownPrivilege 3004 Virus.exe Token: SeDebugPrivilege 3004 Virus.exe Token: SeSystemEnvironmentPrivilege 3004 Virus.exe Token: SeChangeNotifyPrivilege 3004 Virus.exe Token: SeRemoteShutdownPrivilege 3004 Virus.exe Token: SeUndockPrivilege 3004 Virus.exe Token: SeManageVolumePrivilege 3004 Virus.exe Token: SeImpersonatePrivilege 3004 Virus.exe Token: SeCreateGlobalPrivilege 3004 Virus.exe Token: 33 3004 Virus.exe Token: 34 3004 Virus.exe Token: 35 3004 Virus.exe Token: SeIncreaseQuotaPrivilege 2444 msdcsc.exe Token: SeSecurityPrivilege 2444 msdcsc.exe Token: SeTakeOwnershipPrivilege 2444 msdcsc.exe Token: SeLoadDriverPrivilege 2444 msdcsc.exe Token: SeSystemProfilePrivilege 2444 msdcsc.exe Token: SeSystemtimePrivilege 2444 msdcsc.exe Token: SeProfSingleProcessPrivilege 2444 msdcsc.exe Token: SeIncBasePriorityPrivilege 2444 msdcsc.exe Token: SeCreatePagefilePrivilege 2444 msdcsc.exe Token: SeBackupPrivilege 2444 msdcsc.exe Token: SeRestorePrivilege 2444 msdcsc.exe Token: SeShutdownPrivilege 2444 msdcsc.exe Token: SeDebugPrivilege 2444 msdcsc.exe Token: SeSystemEnvironmentPrivilege 2444 msdcsc.exe Token: SeChangeNotifyPrivilege 2444 msdcsc.exe Token: SeRemoteShutdownPrivilege 2444 msdcsc.exe Token: SeUndockPrivilege 2444 msdcsc.exe Token: SeManageVolumePrivilege 2444 msdcsc.exe Token: SeImpersonatePrivilege 2444 msdcsc.exe Token: SeCreateGlobalPrivilege 2444 msdcsc.exe Token: 33 2444 msdcsc.exe Token: 34 2444 msdcsc.exe Token: 35 2444 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid Process 2444 msdcsc.exe -
Suspicious use of WriteProcessMemory 28 IoCs
Processes:
0cfbd4e91dea075e7f3731ed5116c945_JaffaCakes118.exeVirus.execmd.execmd.exedescription pid Process procid_target PID 2872 wrote to memory of 3004 2872 0cfbd4e91dea075e7f3731ed5116c945_JaffaCakes118.exe 28 PID 2872 wrote to memory of 3004 2872 0cfbd4e91dea075e7f3731ed5116c945_JaffaCakes118.exe 28 PID 2872 wrote to memory of 3004 2872 0cfbd4e91dea075e7f3731ed5116c945_JaffaCakes118.exe 28 PID 2872 wrote to memory of 3004 2872 0cfbd4e91dea075e7f3731ed5116c945_JaffaCakes118.exe 28 PID 2872 wrote to memory of 2636 2872 0cfbd4e91dea075e7f3731ed5116c945_JaffaCakes118.exe 29 PID 2872 wrote to memory of 2636 2872 0cfbd4e91dea075e7f3731ed5116c945_JaffaCakes118.exe 29 PID 2872 wrote to memory of 2636 2872 0cfbd4e91dea075e7f3731ed5116c945_JaffaCakes118.exe 29 PID 2872 wrote to memory of 2636 2872 0cfbd4e91dea075e7f3731ed5116c945_JaffaCakes118.exe 29 PID 3004 wrote to memory of 2436 3004 Virus.exe 30 PID 3004 wrote to memory of 2436 3004 Virus.exe 30 PID 3004 wrote to memory of 2436 3004 Virus.exe 30 PID 3004 wrote to memory of 2436 3004 Virus.exe 30 PID 3004 wrote to memory of 2588 3004 Virus.exe 32 PID 3004 wrote to memory of 2588 3004 Virus.exe 32 PID 3004 wrote to memory of 2588 3004 Virus.exe 32 PID 3004 wrote to memory of 2588 3004 Virus.exe 32 PID 2436 wrote to memory of 292 2436 cmd.exe 34 PID 2436 wrote to memory of 292 2436 cmd.exe 34 PID 2436 wrote to memory of 292 2436 cmd.exe 34 PID 2436 wrote to memory of 292 2436 cmd.exe 34 PID 2588 wrote to memory of 2408 2588 cmd.exe 35 PID 2588 wrote to memory of 2408 2588 cmd.exe 35 PID 2588 wrote to memory of 2408 2588 cmd.exe 35 PID 2588 wrote to memory of 2408 2588 cmd.exe 35 PID 3004 wrote to memory of 2444 3004 Virus.exe 36 PID 3004 wrote to memory of 2444 3004 Virus.exe 36 PID 3004 wrote to memory of 2444 3004 Virus.exe 36 PID 3004 wrote to memory of 2444 3004 Virus.exe 36 -
System policy modification 1 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion msdcsc.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid Process 292 attrib.exe 2408 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0cfbd4e91dea075e7f3731ed5116c945_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0cfbd4e91dea075e7f3731ed5116c945_JaffaCakes118.exe"1⤵
- Drops startup file
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:2872 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Virus.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Virus.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Virus.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
PID:2436 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Virus.exe" +s +h4⤵
- Sets file to hidden
- Drops startup file
- Views/modifies file attributes
PID:292
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup" +s +h3⤵
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2408
-
-
-
C:\Users\Admin\AppData\Roaming\APP#\msdcsc.exe"C:\Users\Admin\AppData\Roaming\APP#\msdcsc.exe"3⤵
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:2444
-
-
-
C:\Users\Admin\AppData\Local\Temp\Ìàêðîñ.exe"C:\Users\Admin\AppData\Local\Temp\Ìàêðîñ.exe"2⤵
- Executes dropped EXE
PID:2636
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
668KB
MD52269a69bf8d016c3916631603fbdcad3
SHA126c8d00cb8b1c0eb64c11b15c8db46ccb3ac1ff0
SHA256e8b8d67fe55fe4530b29b5a0e3cec32740fbe2b56235729046d5011cf3dccc09
SHA512ed66c85f78cab40c07cc87b80b6cc4a9c3ec3429cae58132520312d199ba2ba051950188f14b702ca4033bd81cca61a88e7f6b1191cad150968150de90d2d3e6
-
Filesize
659KB
MD526144f316dc5f581b868123ead319687
SHA146f870dd0033323a629676309e19d2ce48a8dc3a
SHA2566321ae811ff96e6ddf1fe35abb80a6fa6a3f6866793c5d7e8de2bb191fd206e1
SHA5121921b066907984e4d1cc4e87a195154538ed779e794aba0f5eec8eaa9d17fde0b7df13d0333f1c562a2b19d7a1544a020432fa693d47fffe2fda5c29ba36223c