Analysis
-
max time kernel
149s -
max time network
126s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
17-05-2024 19:37
Behavioral task
behavioral1
Sample
512665db21883175c7a9af2fbb38a839_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
512665db21883175c7a9af2fbb38a839_JaffaCakes118.exe
-
Size
283KB
-
MD5
512665db21883175c7a9af2fbb38a839
-
SHA1
997ebd10c77def607dfc4a6510578f2d9a5904ce
-
SHA256
f4135f6b427e6836503797ff2f441a4f7ad343ae264396b4a4cd6bf7b295189c
-
SHA512
7095b0705a7c6038965e96b96769af8cbe4f065c3146d288e1dd0c3d240dbac827e0192fc49513666316e10af73f73174424eda006bc70ac99122192e0852971
-
SSDEEP
6144:8cNYk1yuwEDBum3qYWnl0pd0EX3Zq2b6wfIDYm0PlR:8cWkbgTYWnYnt/IDYhPn
Malware Config
Extracted
darkcomet
Guest16
127.0.0.1:888
DC_MUTEX-WHLS1HP
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
gGRRYlfxUJpz
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
512665db21883175c7a9af2fbb38a839_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 512665db21883175c7a9af2fbb38a839_JaffaCakes118.exe -
Drops file in Drivers directory 1 IoCs
Processes:
512665db21883175c7a9af2fbb38a839_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\system32\drivers\etc\hosts 512665db21883175c7a9af2fbb38a839_JaffaCakes118.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
512665db21883175c7a9af2fbb38a839_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\Control Panel\International\Geo\Nation 512665db21883175c7a9af2fbb38a839_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 1488 msdcsc.exe -
Processes:
resource yara_rule behavioral2/memory/4288-0-0x0000000000400000-0x00000000004C7000-memory.dmp upx C:\Users\Admin\Documents\MSDCSC\msdcsc.exe upx behavioral2/memory/4288-65-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral2/memory/1488-66-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral2/memory/1488-67-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral2/memory/1488-68-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral2/memory/1488-69-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral2/memory/1488-71-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral2/memory/1488-72-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral2/memory/1488-73-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral2/memory/1488-74-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral2/memory/1488-75-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral2/memory/1488-76-0x0000000000400000-0x00000000004C7000-memory.dmp upx behavioral2/memory/1488-77-0x0000000000400000-0x00000000004C7000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
512665db21883175c7a9af2fbb38a839_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1181767204-2009306918-3718769404-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 512665db21883175c7a9af2fbb38a839_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
512665db21883175c7a9af2fbb38a839_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 512665db21883175c7a9af2fbb38a839_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
512665db21883175c7a9af2fbb38a839_JaffaCakes118.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 4288 512665db21883175c7a9af2fbb38a839_JaffaCakes118.exe Token: SeSecurityPrivilege 4288 512665db21883175c7a9af2fbb38a839_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 4288 512665db21883175c7a9af2fbb38a839_JaffaCakes118.exe Token: SeLoadDriverPrivilege 4288 512665db21883175c7a9af2fbb38a839_JaffaCakes118.exe Token: SeSystemProfilePrivilege 4288 512665db21883175c7a9af2fbb38a839_JaffaCakes118.exe Token: SeSystemtimePrivilege 4288 512665db21883175c7a9af2fbb38a839_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 4288 512665db21883175c7a9af2fbb38a839_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 4288 512665db21883175c7a9af2fbb38a839_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 4288 512665db21883175c7a9af2fbb38a839_JaffaCakes118.exe Token: SeBackupPrivilege 4288 512665db21883175c7a9af2fbb38a839_JaffaCakes118.exe Token: SeRestorePrivilege 4288 512665db21883175c7a9af2fbb38a839_JaffaCakes118.exe Token: SeShutdownPrivilege 4288 512665db21883175c7a9af2fbb38a839_JaffaCakes118.exe Token: SeDebugPrivilege 4288 512665db21883175c7a9af2fbb38a839_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 4288 512665db21883175c7a9af2fbb38a839_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 4288 512665db21883175c7a9af2fbb38a839_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 4288 512665db21883175c7a9af2fbb38a839_JaffaCakes118.exe Token: SeUndockPrivilege 4288 512665db21883175c7a9af2fbb38a839_JaffaCakes118.exe Token: SeManageVolumePrivilege 4288 512665db21883175c7a9af2fbb38a839_JaffaCakes118.exe Token: SeImpersonatePrivilege 4288 512665db21883175c7a9af2fbb38a839_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 4288 512665db21883175c7a9af2fbb38a839_JaffaCakes118.exe Token: 33 4288 512665db21883175c7a9af2fbb38a839_JaffaCakes118.exe Token: 34 4288 512665db21883175c7a9af2fbb38a839_JaffaCakes118.exe Token: 35 4288 512665db21883175c7a9af2fbb38a839_JaffaCakes118.exe Token: 36 4288 512665db21883175c7a9af2fbb38a839_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 1488 msdcsc.exe Token: SeSecurityPrivilege 1488 msdcsc.exe Token: SeTakeOwnershipPrivilege 1488 msdcsc.exe Token: SeLoadDriverPrivilege 1488 msdcsc.exe Token: SeSystemProfilePrivilege 1488 msdcsc.exe Token: SeSystemtimePrivilege 1488 msdcsc.exe Token: SeProfSingleProcessPrivilege 1488 msdcsc.exe Token: SeIncBasePriorityPrivilege 1488 msdcsc.exe Token: SeCreatePagefilePrivilege 1488 msdcsc.exe Token: SeBackupPrivilege 1488 msdcsc.exe Token: SeRestorePrivilege 1488 msdcsc.exe Token: SeShutdownPrivilege 1488 msdcsc.exe Token: SeDebugPrivilege 1488 msdcsc.exe Token: SeSystemEnvironmentPrivilege 1488 msdcsc.exe Token: SeChangeNotifyPrivilege 1488 msdcsc.exe Token: SeRemoteShutdownPrivilege 1488 msdcsc.exe Token: SeUndockPrivilege 1488 msdcsc.exe Token: SeManageVolumePrivilege 1488 msdcsc.exe Token: SeImpersonatePrivilege 1488 msdcsc.exe Token: SeCreateGlobalPrivilege 1488 msdcsc.exe Token: 33 1488 msdcsc.exe Token: 34 1488 msdcsc.exe Token: 35 1488 msdcsc.exe Token: 36 1488 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 1488 msdcsc.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
512665db21883175c7a9af2fbb38a839_JaffaCakes118.exedescription pid process target process PID 4288 wrote to memory of 1488 4288 512665db21883175c7a9af2fbb38a839_JaffaCakes118.exe msdcsc.exe PID 4288 wrote to memory of 1488 4288 512665db21883175c7a9af2fbb38a839_JaffaCakes118.exe msdcsc.exe PID 4288 wrote to memory of 1488 4288 512665db21883175c7a9af2fbb38a839_JaffaCakes118.exe msdcsc.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\512665db21883175c7a9af2fbb38a839_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\512665db21883175c7a9af2fbb38a839_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Drops file in Drivers directory
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --field-trial-handle=4336,i,17096020621006928097,15544233752327415349,262144 --variations-seed-version --mojo-platform-channel-handle=3596 /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
283KB
MD5512665db21883175c7a9af2fbb38a839
SHA1997ebd10c77def607dfc4a6510578f2d9a5904ce
SHA256f4135f6b427e6836503797ff2f441a4f7ad343ae264396b4a4cd6bf7b295189c
SHA5127095b0705a7c6038965e96b96769af8cbe4f065c3146d288e1dd0c3d240dbac827e0192fc49513666316e10af73f73174424eda006bc70ac99122192e0852971
-
memory/1488-74-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/1488-71-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/1488-63-0x0000000002090000-0x0000000002091000-memory.dmpFilesize
4KB
-
memory/1488-77-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/1488-66-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/1488-67-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/1488-76-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/1488-69-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/1488-68-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/1488-72-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/1488-73-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/1488-75-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/4288-0-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB
-
memory/4288-1-0x00000000023E0000-0x00000000023E1000-memory.dmpFilesize
4KB
-
memory/4288-65-0x0000000000400000-0x00000000004C7000-memory.dmpFilesize
796KB