Analysis
-
max time kernel
148s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
02-05-2024 00:30
Behavioral task
behavioral1
Sample
0cfbd4e91dea075e7f3731ed5116c945_JaffaCakes118.exe
Resource
win7-20240220-en
General
-
Target
0cfbd4e91dea075e7f3731ed5116c945_JaffaCakes118.exe
-
Size
1.3MB
-
MD5
0cfbd4e91dea075e7f3731ed5116c945
-
SHA1
ab10a58d6cdfa713405c6f3ea32bcea5fb01567a
-
SHA256
e01c2cb5400fc2b1739f6705ecd0b4ce42c7339f0101c4d92d40ec2db07a0956
-
SHA512
0bfc21a4c6b54433b91d37036f2d72f51cdce0edfa7ab3422635f6b4925c142a6c156a0fb1151006f1de1c19460e1e47c46a61ec5418ce8c109b4a1b932407f7
-
SSDEEP
24576:vZ1xuVVjfFoynPaVBUR8f+kN10EByZ1xuVVjfFoynPaVBUR8f+kN10EB8:RQDgok30VQDgok30L
Malware Config
Extracted
darkcomet
Áàòàðåéêà
178.46.120.54:1604
DC_MUTEX-NSKK5Q3
-
InstallPath
APP#\msdcsc.exe
-
gencode
LasvCxAaw4RN
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
Virus.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\APP#\\msdcsc.exe" Virus.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
msdcsc.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" msdcsc.exe -
Processes:
msdcsc.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid Process 2208 attrib.exe 1176 attrib.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
0cfbd4e91dea075e7f3731ed5116c945_JaffaCakes118.exeVirus.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation 0cfbd4e91dea075e7f3731ed5116c945_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\Control Panel\International\Geo\Nation Virus.exe -
Drops startup file 2 IoCs
Processes:
0cfbd4e91dea075e7f3731ed5116c945_JaffaCakes118.exeattrib.exedescription ioc Process File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Virus.exe 0cfbd4e91dea075e7f3731ed5116c945_JaffaCakes118.exe File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Virus.exe attrib.exe -
Executes dropped EXE 3 IoCs
Processes:
Virus.exeÌàêðîñ.exemsdcsc.exepid Process 468 Virus.exe 3748 Ìàêðîñ.exe 636 msdcsc.exe -
Processes:
msdcsc.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
Virus.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3726321484-1950364574-433157660-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\APP#\\msdcsc.exe" Virus.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
Virus.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Virus.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msdcsc.exepid Process 636 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
Virus.exemsdcsc.exedescription pid Process Token: SeIncreaseQuotaPrivilege 468 Virus.exe Token: SeSecurityPrivilege 468 Virus.exe Token: SeTakeOwnershipPrivilege 468 Virus.exe Token: SeLoadDriverPrivilege 468 Virus.exe Token: SeSystemProfilePrivilege 468 Virus.exe Token: SeSystemtimePrivilege 468 Virus.exe Token: SeProfSingleProcessPrivilege 468 Virus.exe Token: SeIncBasePriorityPrivilege 468 Virus.exe Token: SeCreatePagefilePrivilege 468 Virus.exe Token: SeBackupPrivilege 468 Virus.exe Token: SeRestorePrivilege 468 Virus.exe Token: SeShutdownPrivilege 468 Virus.exe Token: SeDebugPrivilege 468 Virus.exe Token: SeSystemEnvironmentPrivilege 468 Virus.exe Token: SeChangeNotifyPrivilege 468 Virus.exe Token: SeRemoteShutdownPrivilege 468 Virus.exe Token: SeUndockPrivilege 468 Virus.exe Token: SeManageVolumePrivilege 468 Virus.exe Token: SeImpersonatePrivilege 468 Virus.exe Token: SeCreateGlobalPrivilege 468 Virus.exe Token: 33 468 Virus.exe Token: 34 468 Virus.exe Token: 35 468 Virus.exe Token: 36 468 Virus.exe Token: SeIncreaseQuotaPrivilege 636 msdcsc.exe Token: SeSecurityPrivilege 636 msdcsc.exe Token: SeTakeOwnershipPrivilege 636 msdcsc.exe Token: SeLoadDriverPrivilege 636 msdcsc.exe Token: SeSystemProfilePrivilege 636 msdcsc.exe Token: SeSystemtimePrivilege 636 msdcsc.exe Token: SeProfSingleProcessPrivilege 636 msdcsc.exe Token: SeIncBasePriorityPrivilege 636 msdcsc.exe Token: SeCreatePagefilePrivilege 636 msdcsc.exe Token: SeBackupPrivilege 636 msdcsc.exe Token: SeRestorePrivilege 636 msdcsc.exe Token: SeShutdownPrivilege 636 msdcsc.exe Token: SeDebugPrivilege 636 msdcsc.exe Token: SeSystemEnvironmentPrivilege 636 msdcsc.exe Token: SeChangeNotifyPrivilege 636 msdcsc.exe Token: SeRemoteShutdownPrivilege 636 msdcsc.exe Token: SeUndockPrivilege 636 msdcsc.exe Token: SeManageVolumePrivilege 636 msdcsc.exe Token: SeImpersonatePrivilege 636 msdcsc.exe Token: SeCreateGlobalPrivilege 636 msdcsc.exe Token: 33 636 msdcsc.exe Token: 34 636 msdcsc.exe Token: 35 636 msdcsc.exe Token: 36 636 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid Process 636 msdcsc.exe -
Suspicious use of WriteProcessMemory 21 IoCs
Processes:
0cfbd4e91dea075e7f3731ed5116c945_JaffaCakes118.exeVirus.execmd.execmd.exedescription pid Process procid_target PID 5048 wrote to memory of 468 5048 0cfbd4e91dea075e7f3731ed5116c945_JaffaCakes118.exe 83 PID 5048 wrote to memory of 468 5048 0cfbd4e91dea075e7f3731ed5116c945_JaffaCakes118.exe 83 PID 5048 wrote to memory of 468 5048 0cfbd4e91dea075e7f3731ed5116c945_JaffaCakes118.exe 83 PID 5048 wrote to memory of 3748 5048 0cfbd4e91dea075e7f3731ed5116c945_JaffaCakes118.exe 84 PID 5048 wrote to memory of 3748 5048 0cfbd4e91dea075e7f3731ed5116c945_JaffaCakes118.exe 84 PID 5048 wrote to memory of 3748 5048 0cfbd4e91dea075e7f3731ed5116c945_JaffaCakes118.exe 84 PID 468 wrote to memory of 3256 468 Virus.exe 88 PID 468 wrote to memory of 3256 468 Virus.exe 88 PID 468 wrote to memory of 3256 468 Virus.exe 88 PID 468 wrote to memory of 2316 468 Virus.exe 89 PID 468 wrote to memory of 2316 468 Virus.exe 89 PID 468 wrote to memory of 2316 468 Virus.exe 89 PID 3256 wrote to memory of 2208 3256 cmd.exe 92 PID 3256 wrote to memory of 2208 3256 cmd.exe 92 PID 3256 wrote to memory of 2208 3256 cmd.exe 92 PID 2316 wrote to memory of 1176 2316 cmd.exe 93 PID 2316 wrote to memory of 1176 2316 cmd.exe 93 PID 2316 wrote to memory of 1176 2316 cmd.exe 93 PID 468 wrote to memory of 636 468 Virus.exe 94 PID 468 wrote to memory of 636 468 Virus.exe 94 PID 468 wrote to memory of 636 468 Virus.exe 94 -
System policy modification 1 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion msdcsc.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid Process 2208 attrib.exe 1176 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\0cfbd4e91dea075e7f3731ed5116c945_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0cfbd4e91dea075e7f3731ed5116c945_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Drops startup file
- Suspicious use of WriteProcessMemory
PID:5048 -
C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Virus.exe"C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Virus.exe"2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:468 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Virus.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
PID:3256 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\Virus.exe" +s +h4⤵
- Sets file to hidden
- Drops startup file
- Views/modifies file attributes
PID:2208
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup" +s +h3⤵
- Suspicious use of WriteProcessMemory
PID:2316 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1176
-
-
-
C:\Users\Admin\AppData\Roaming\APP#\msdcsc.exe"C:\Users\Admin\AppData\Roaming\APP#\msdcsc.exe"3⤵
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:636
-
-
-
C:\Users\Admin\AppData\Local\Temp\Ìàêðîñ.exe"C:\Users\Admin\AppData\Local\Temp\Ìàêðîñ.exe"2⤵
- Executes dropped EXE
PID:3748
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
668KB
MD52269a69bf8d016c3916631603fbdcad3
SHA126c8d00cb8b1c0eb64c11b15c8db46ccb3ac1ff0
SHA256e8b8d67fe55fe4530b29b5a0e3cec32740fbe2b56235729046d5011cf3dccc09
SHA512ed66c85f78cab40c07cc87b80b6cc4a9c3ec3429cae58132520312d199ba2ba051950188f14b702ca4033bd81cca61a88e7f6b1191cad150968150de90d2d3e6
-
Filesize
659KB
MD526144f316dc5f581b868123ead319687
SHA146f870dd0033323a629676309e19d2ce48a8dc3a
SHA2566321ae811ff96e6ddf1fe35abb80a6fa6a3f6866793c5d7e8de2bb191fd206e1
SHA5121921b066907984e4d1cc4e87a195154538ed779e794aba0f5eec8eaa9d17fde0b7df13d0333f1c562a2b19d7a1544a020432fa693d47fffe2fda5c29ba36223c