Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240419-en -
resource tags
arch:x64arch:x86image:win10v2004-20240419-enlocale:en-usos:windows10-2004-x64system -
submitted
04-05-2024 23:44
Behavioral task
behavioral1
Sample
1502da8208dab511b9a20b8bd5ca0683_JaffaCakes118.exe
Resource
win7-20240220-en
General
-
Target
1502da8208dab511b9a20b8bd5ca0683_JaffaCakes118.exe
-
Size
691KB
-
MD5
1502da8208dab511b9a20b8bd5ca0683
-
SHA1
b221b40878da9d5a846bdcb8b773517c2c1c9f8d
-
SHA256
0f8453795d064dcfed957738605d6535e6d7aed3903663f2a39c24190aeb55f0
-
SHA512
9016fb4ff3374e04fd6b99bcc82266e0d8b8e81348306b0538f23132c24b1178730c84ff55c485a49cbf3740df6cdb6ad52bc3a2ac49b01142e7ba965666a7b6
-
SSDEEP
12288:q9HMeUmcufrvA3kb445UEJ2jsWiD4EvFuu4cNgZhCiZKD/XdyF+u:miBIGkbxqEcjsWiDxguehC2Sy
Malware Config
Extracted
darkcomet
Guest16
kop2090a.ddns.net:1604
DC_MUTEX-LWJ5CU9
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
Vn1ccigfUluv
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
1502da8208dab511b9a20b8bd5ca0683_JaffaCakes118.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\msdcsc.exe" 1502da8208dab511b9a20b8bd5ca0683_JaffaCakes118.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msdcsc.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
msdcsc.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" msdcsc.exe -
Processes:
msdcsc.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1502da8208dab511b9a20b8bd5ca0683_JaffaCakes118.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\Control Panel\International\Geo\Nation 1502da8208dab511b9a20b8bd5ca0683_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid Process 4840 msdcsc.exe -
Processes:
msdcsc.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
1502da8208dab511b9a20b8bd5ca0683_JaffaCakes118.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-877519540-908060166-1852957295-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\msdcsc.exe" 1502da8208dab511b9a20b8bd5ca0683_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
1502da8208dab511b9a20b8bd5ca0683_JaffaCakes118.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 1502da8208dab511b9a20b8bd5ca0683_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
1502da8208dab511b9a20b8bd5ca0683_JaffaCakes118.exemsdcsc.exedescription pid Process Token: SeIncreaseQuotaPrivilege 3104 1502da8208dab511b9a20b8bd5ca0683_JaffaCakes118.exe Token: SeSecurityPrivilege 3104 1502da8208dab511b9a20b8bd5ca0683_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 3104 1502da8208dab511b9a20b8bd5ca0683_JaffaCakes118.exe Token: SeLoadDriverPrivilege 3104 1502da8208dab511b9a20b8bd5ca0683_JaffaCakes118.exe Token: SeSystemProfilePrivilege 3104 1502da8208dab511b9a20b8bd5ca0683_JaffaCakes118.exe Token: SeSystemtimePrivilege 3104 1502da8208dab511b9a20b8bd5ca0683_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 3104 1502da8208dab511b9a20b8bd5ca0683_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 3104 1502da8208dab511b9a20b8bd5ca0683_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 3104 1502da8208dab511b9a20b8bd5ca0683_JaffaCakes118.exe Token: SeBackupPrivilege 3104 1502da8208dab511b9a20b8bd5ca0683_JaffaCakes118.exe Token: SeRestorePrivilege 3104 1502da8208dab511b9a20b8bd5ca0683_JaffaCakes118.exe Token: SeShutdownPrivilege 3104 1502da8208dab511b9a20b8bd5ca0683_JaffaCakes118.exe Token: SeDebugPrivilege 3104 1502da8208dab511b9a20b8bd5ca0683_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 3104 1502da8208dab511b9a20b8bd5ca0683_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 3104 1502da8208dab511b9a20b8bd5ca0683_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 3104 1502da8208dab511b9a20b8bd5ca0683_JaffaCakes118.exe Token: SeUndockPrivilege 3104 1502da8208dab511b9a20b8bd5ca0683_JaffaCakes118.exe Token: SeManageVolumePrivilege 3104 1502da8208dab511b9a20b8bd5ca0683_JaffaCakes118.exe Token: SeImpersonatePrivilege 3104 1502da8208dab511b9a20b8bd5ca0683_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 3104 1502da8208dab511b9a20b8bd5ca0683_JaffaCakes118.exe Token: 33 3104 1502da8208dab511b9a20b8bd5ca0683_JaffaCakes118.exe Token: 34 3104 1502da8208dab511b9a20b8bd5ca0683_JaffaCakes118.exe Token: 35 3104 1502da8208dab511b9a20b8bd5ca0683_JaffaCakes118.exe Token: 36 3104 1502da8208dab511b9a20b8bd5ca0683_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 4840 msdcsc.exe Token: SeSecurityPrivilege 4840 msdcsc.exe Token: SeTakeOwnershipPrivilege 4840 msdcsc.exe Token: SeLoadDriverPrivilege 4840 msdcsc.exe Token: SeSystemProfilePrivilege 4840 msdcsc.exe Token: SeSystemtimePrivilege 4840 msdcsc.exe Token: SeProfSingleProcessPrivilege 4840 msdcsc.exe Token: SeIncBasePriorityPrivilege 4840 msdcsc.exe Token: SeCreatePagefilePrivilege 4840 msdcsc.exe Token: SeBackupPrivilege 4840 msdcsc.exe Token: SeRestorePrivilege 4840 msdcsc.exe Token: SeShutdownPrivilege 4840 msdcsc.exe Token: SeDebugPrivilege 4840 msdcsc.exe Token: SeSystemEnvironmentPrivilege 4840 msdcsc.exe Token: SeChangeNotifyPrivilege 4840 msdcsc.exe Token: SeRemoteShutdownPrivilege 4840 msdcsc.exe Token: SeUndockPrivilege 4840 msdcsc.exe Token: SeManageVolumePrivilege 4840 msdcsc.exe Token: SeImpersonatePrivilege 4840 msdcsc.exe Token: SeCreateGlobalPrivilege 4840 msdcsc.exe Token: 33 4840 msdcsc.exe Token: 34 4840 msdcsc.exe Token: 35 4840 msdcsc.exe Token: 36 4840 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid Process 4840 msdcsc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
1502da8208dab511b9a20b8bd5ca0683_JaffaCakes118.exedescription pid Process procid_target PID 3104 wrote to memory of 4840 3104 1502da8208dab511b9a20b8bd5ca0683_JaffaCakes118.exe 94 PID 3104 wrote to memory of 4840 3104 1502da8208dab511b9a20b8bd5ca0683_JaffaCakes118.exe 94 PID 3104 wrote to memory of 4840 3104 1502da8208dab511b9a20b8bd5ca0683_JaffaCakes118.exe 94 -
System policy modification 1 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion msdcsc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1502da8208dab511b9a20b8bd5ca0683_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1502da8208dab511b9a20b8bd5ca0683_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3104 -
C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe"C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe"2⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
PID:4840
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
691KB
MD51502da8208dab511b9a20b8bd5ca0683
SHA1b221b40878da9d5a846bdcb8b773517c2c1c9f8d
SHA2560f8453795d064dcfed957738605d6535e6d7aed3903663f2a39c24190aeb55f0
SHA5129016fb4ff3374e04fd6b99bcc82266e0d8b8e81348306b0538f23132c24b1178730c84ff55c485a49cbf3740df6cdb6ad52bc3a2ac49b01142e7ba965666a7b6