Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240215-en -
resource tags
arch:x64arch:x86image:win7-20240215-enlocale:en-usos:windows7-x64system -
submitted
02-05-2024 04:27
Static task
static1
Behavioral task
behavioral1
Sample
0d7fdb9b4f8fd7dad8bed13640839d24_JaffaCakes118.exe
Resource
win7-20240215-en
Behavioral task
behavioral2
Sample
0d7fdb9b4f8fd7dad8bed13640839d24_JaffaCakes118.exe
Resource
win10v2004-20240419-en
General
-
Target
0d7fdb9b4f8fd7dad8bed13640839d24_JaffaCakes118.exe
-
Size
1.9MB
-
MD5
0d7fdb9b4f8fd7dad8bed13640839d24
-
SHA1
ec162c23c310dd27f69195ba9711f67f60dbc36a
-
SHA256
77e6549f91e50d0fa9a46300823eee0c5d26e0e887586972812e2103b8add68c
-
SHA512
4becd8ac3a536548fd777c3ed745890d0cfffa6328fbeaf1cdaed3a608acd8cc84bfa3838761748db85b847769041ebb1ade6798dafe38fc09765051dbb993a1
-
SSDEEP
49152:1Vjpl2+DwQ/bU/jCxmiya/EjErEFcZYxiHJKp:jjL2APxrya/EjEExiHk
Malware Config
Extracted
darkcomet
PC
svp1750.zapto.org:200
DC_MUTEX-03PY43J
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
ni5ENfz5E8rK
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
0d7fdb9b4f8fd7dad8bed13640839d24_JaffaCakes118.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 0d7fdb9b4f8fd7dad8bed13640839d24_JaffaCakes118.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msdcsc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msdcsc.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
msdcsc.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" msdcsc.exe -
Disables Task Manager via registry modification
-
Executes dropped EXE 2 IoCs
Processes:
msdcsc.exemsdcsc.exepid Process 2612 msdcsc.exe 2144 msdcsc.exe -
Loads dropped DLL 2 IoCs
Processes:
0d7fdb9b4f8fd7dad8bed13640839d24_JaffaCakes118.exepid Process 2420 0d7fdb9b4f8fd7dad8bed13640839d24_JaffaCakes118.exe 2420 0d7fdb9b4f8fd7dad8bed13640839d24_JaffaCakes118.exe -
Processes:
resource yara_rule behavioral1/memory/2420-50-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral1/memory/2144-47-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral1/memory/2144-46-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral1/memory/2144-45-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral1/memory/2144-44-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral1/memory/2420-16-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral1/memory/2420-15-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral1/memory/2420-13-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral1/memory/2420-10-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral1/memory/2420-9-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral1/memory/2420-7-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral1/memory/2420-8-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral1/memory/2144-51-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral1/memory/2144-52-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral1/memory/2144-53-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral1/memory/2144-54-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral1/memory/2144-55-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral1/memory/2144-56-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral1/memory/2144-57-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral1/memory/2144-58-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral1/memory/2144-59-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral1/memory/2144-60-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral1/memory/2144-61-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral1/memory/2144-62-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral1/memory/2144-63-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral1/memory/2144-64-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral1/memory/2144-65-0x0000000000400000-0x00000000004B8000-memory.dmp upx behavioral1/memory/2144-66-0x0000000000400000-0x00000000004B8000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
0d7fdb9b4f8fd7dad8bed13640839d24_JaffaCakes118.exemsdcsc.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 0d7fdb9b4f8fd7dad8bed13640839d24_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2248906074-2862704502-246302768-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
0d7fdb9b4f8fd7dad8bed13640839d24_JaffaCakes118.exemsdcsc.exedescription pid Process procid_target PID 2416 set thread context of 2420 2416 0d7fdb9b4f8fd7dad8bed13640839d24_JaffaCakes118.exe 28 PID 2612 set thread context of 2144 2612 msdcsc.exe 30 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
0d7fdb9b4f8fd7dad8bed13640839d24_JaffaCakes118.exemsdcsc.exedescription pid Process Token: SeIncreaseQuotaPrivilege 2420 0d7fdb9b4f8fd7dad8bed13640839d24_JaffaCakes118.exe Token: SeSecurityPrivilege 2420 0d7fdb9b4f8fd7dad8bed13640839d24_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 2420 0d7fdb9b4f8fd7dad8bed13640839d24_JaffaCakes118.exe Token: SeLoadDriverPrivilege 2420 0d7fdb9b4f8fd7dad8bed13640839d24_JaffaCakes118.exe Token: SeSystemProfilePrivilege 2420 0d7fdb9b4f8fd7dad8bed13640839d24_JaffaCakes118.exe Token: SeSystemtimePrivilege 2420 0d7fdb9b4f8fd7dad8bed13640839d24_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 2420 0d7fdb9b4f8fd7dad8bed13640839d24_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2420 0d7fdb9b4f8fd7dad8bed13640839d24_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 2420 0d7fdb9b4f8fd7dad8bed13640839d24_JaffaCakes118.exe Token: SeBackupPrivilege 2420 0d7fdb9b4f8fd7dad8bed13640839d24_JaffaCakes118.exe Token: SeRestorePrivilege 2420 0d7fdb9b4f8fd7dad8bed13640839d24_JaffaCakes118.exe Token: SeShutdownPrivilege 2420 0d7fdb9b4f8fd7dad8bed13640839d24_JaffaCakes118.exe Token: SeDebugPrivilege 2420 0d7fdb9b4f8fd7dad8bed13640839d24_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 2420 0d7fdb9b4f8fd7dad8bed13640839d24_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 2420 0d7fdb9b4f8fd7dad8bed13640839d24_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 2420 0d7fdb9b4f8fd7dad8bed13640839d24_JaffaCakes118.exe Token: SeUndockPrivilege 2420 0d7fdb9b4f8fd7dad8bed13640839d24_JaffaCakes118.exe Token: SeManageVolumePrivilege 2420 0d7fdb9b4f8fd7dad8bed13640839d24_JaffaCakes118.exe Token: SeImpersonatePrivilege 2420 0d7fdb9b4f8fd7dad8bed13640839d24_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 2420 0d7fdb9b4f8fd7dad8bed13640839d24_JaffaCakes118.exe Token: 33 2420 0d7fdb9b4f8fd7dad8bed13640839d24_JaffaCakes118.exe Token: 34 2420 0d7fdb9b4f8fd7dad8bed13640839d24_JaffaCakes118.exe Token: 35 2420 0d7fdb9b4f8fd7dad8bed13640839d24_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2144 msdcsc.exe Token: SeSecurityPrivilege 2144 msdcsc.exe Token: SeTakeOwnershipPrivilege 2144 msdcsc.exe Token: SeLoadDriverPrivilege 2144 msdcsc.exe Token: SeSystemProfilePrivilege 2144 msdcsc.exe Token: SeSystemtimePrivilege 2144 msdcsc.exe Token: SeProfSingleProcessPrivilege 2144 msdcsc.exe Token: SeIncBasePriorityPrivilege 2144 msdcsc.exe Token: SeCreatePagefilePrivilege 2144 msdcsc.exe Token: SeBackupPrivilege 2144 msdcsc.exe Token: SeRestorePrivilege 2144 msdcsc.exe Token: SeShutdownPrivilege 2144 msdcsc.exe Token: SeDebugPrivilege 2144 msdcsc.exe Token: SeSystemEnvironmentPrivilege 2144 msdcsc.exe Token: SeChangeNotifyPrivilege 2144 msdcsc.exe Token: SeRemoteShutdownPrivilege 2144 msdcsc.exe Token: SeUndockPrivilege 2144 msdcsc.exe Token: SeManageVolumePrivilege 2144 msdcsc.exe Token: SeImpersonatePrivilege 2144 msdcsc.exe Token: SeCreateGlobalPrivilege 2144 msdcsc.exe Token: 33 2144 msdcsc.exe Token: 34 2144 msdcsc.exe Token: 35 2144 msdcsc.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
0d7fdb9b4f8fd7dad8bed13640839d24_JaffaCakes118.exemsdcsc.exemsdcsc.exepid Process 2416 0d7fdb9b4f8fd7dad8bed13640839d24_JaffaCakes118.exe 2612 msdcsc.exe 2144 msdcsc.exe -
Suspicious use of WriteProcessMemory 24 IoCs
Processes:
0d7fdb9b4f8fd7dad8bed13640839d24_JaffaCakes118.exe0d7fdb9b4f8fd7dad8bed13640839d24_JaffaCakes118.exemsdcsc.exedescription pid Process procid_target PID 2416 wrote to memory of 2420 2416 0d7fdb9b4f8fd7dad8bed13640839d24_JaffaCakes118.exe 28 PID 2416 wrote to memory of 2420 2416 0d7fdb9b4f8fd7dad8bed13640839d24_JaffaCakes118.exe 28 PID 2416 wrote to memory of 2420 2416 0d7fdb9b4f8fd7dad8bed13640839d24_JaffaCakes118.exe 28 PID 2416 wrote to memory of 2420 2416 0d7fdb9b4f8fd7dad8bed13640839d24_JaffaCakes118.exe 28 PID 2416 wrote to memory of 2420 2416 0d7fdb9b4f8fd7dad8bed13640839d24_JaffaCakes118.exe 28 PID 2416 wrote to memory of 2420 2416 0d7fdb9b4f8fd7dad8bed13640839d24_JaffaCakes118.exe 28 PID 2416 wrote to memory of 2420 2416 0d7fdb9b4f8fd7dad8bed13640839d24_JaffaCakes118.exe 28 PID 2416 wrote to memory of 2420 2416 0d7fdb9b4f8fd7dad8bed13640839d24_JaffaCakes118.exe 28 PID 2416 wrote to memory of 2420 2416 0d7fdb9b4f8fd7dad8bed13640839d24_JaffaCakes118.exe 28 PID 2416 wrote to memory of 2420 2416 0d7fdb9b4f8fd7dad8bed13640839d24_JaffaCakes118.exe 28 PID 2420 wrote to memory of 2612 2420 0d7fdb9b4f8fd7dad8bed13640839d24_JaffaCakes118.exe 29 PID 2420 wrote to memory of 2612 2420 0d7fdb9b4f8fd7dad8bed13640839d24_JaffaCakes118.exe 29 PID 2420 wrote to memory of 2612 2420 0d7fdb9b4f8fd7dad8bed13640839d24_JaffaCakes118.exe 29 PID 2420 wrote to memory of 2612 2420 0d7fdb9b4f8fd7dad8bed13640839d24_JaffaCakes118.exe 29 PID 2612 wrote to memory of 2144 2612 msdcsc.exe 30 PID 2612 wrote to memory of 2144 2612 msdcsc.exe 30 PID 2612 wrote to memory of 2144 2612 msdcsc.exe 30 PID 2612 wrote to memory of 2144 2612 msdcsc.exe 30 PID 2612 wrote to memory of 2144 2612 msdcsc.exe 30 PID 2612 wrote to memory of 2144 2612 msdcsc.exe 30 PID 2612 wrote to memory of 2144 2612 msdcsc.exe 30 PID 2612 wrote to memory of 2144 2612 msdcsc.exe 30 PID 2612 wrote to memory of 2144 2612 msdcsc.exe 30 PID 2612 wrote to memory of 2144 2612 msdcsc.exe 30
Processes
-
C:\Users\Admin\AppData\Local\Temp\0d7fdb9b4f8fd7dad8bed13640839d24_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0d7fdb9b4f8fd7dad8bed13640839d24_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2416 -
C:\Users\Admin\AppData\Local\Temp\0d7fdb9b4f8fd7dad8bed13640839d24_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\0d7fdb9b4f8fd7dad8bed13640839d24_JaffaCakes118.exe"2⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2420 -
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"4⤵
- Modifies firewall policy service
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2144
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.9MB
MD50d7fdb9b4f8fd7dad8bed13640839d24
SHA1ec162c23c310dd27f69195ba9711f67f60dbc36a
SHA25677e6549f91e50d0fa9a46300823eee0c5d26e0e887586972812e2103b8add68c
SHA5124becd8ac3a536548fd777c3ed745890d0cfffa6328fbeaf1cdaed3a608acd8cc84bfa3838761748db85b847769041ebb1ade6798dafe38fc09765051dbb993a1