Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
18-05-2024 22:51
Behavioral task
behavioral1
Sample
573dd6b96b2cb193e39ab445b2e83394_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
573dd6b96b2cb193e39ab445b2e83394_JaffaCakes118.exe
-
Size
659KB
-
MD5
573dd6b96b2cb193e39ab445b2e83394
-
SHA1
00a40367a59949abf338a9ec2f8f9e21f46f62aa
-
SHA256
daadde44c8f95623f5d49dee98b69a9e929a4e15c02bbaef9ade1a3a5c8362f6
-
SHA512
73b96a148fc898011ff4faff2eff125fc55ef9bf86c1efc3897edfc9082878d45c953194f7b51c9cbf819c6486e31701a4116ceda5b47c2e185892c5d7a1a15a
-
SSDEEP
12288:S9HMeUmcufrvA3kb445UEJ2jsWiD4EvFuu4cNgZhCiZK3/X:+iBIGkbxqEcjsWiDxguehC2+
Malware Config
Extracted
darkcomet
Guest17
mining1399.no-ip.biz:8080
DC_MUTEX-PB1VQWK
-
InstallPath
Memory\System.exe
-
gencode
jb09jTdM48qG
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
573dd6b96b2cb193e39ab445b2e83394_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\Memory\\System.exe" 573dd6b96b2cb193e39ab445b2e83394_JaffaCakes118.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
System.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile System.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" System.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" System.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
System.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" System.exe -
Processes:
System.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" System.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" System.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 3464 attrib.exe 2628 attrib.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
573dd6b96b2cb193e39ab445b2e83394_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\Control Panel\International\Geo\Nation 573dd6b96b2cb193e39ab445b2e83394_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
Processes:
System.exepid process 2056 System.exe -
Processes:
System.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" System.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" System.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
573dd6b96b2cb193e39ab445b2e83394_JaffaCakes118.exeSystem.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\Memory\\System.exe" 573dd6b96b2cb193e39ab445b2e83394_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3906287020-2915474608-1755617787-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\Memory\\System.exe" System.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
573dd6b96b2cb193e39ab445b2e83394_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 573dd6b96b2cb193e39ab445b2e83394_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
573dd6b96b2cb193e39ab445b2e83394_JaffaCakes118.exeSystem.exedescription pid process Token: SeIncreaseQuotaPrivilege 4280 573dd6b96b2cb193e39ab445b2e83394_JaffaCakes118.exe Token: SeSecurityPrivilege 4280 573dd6b96b2cb193e39ab445b2e83394_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 4280 573dd6b96b2cb193e39ab445b2e83394_JaffaCakes118.exe Token: SeLoadDriverPrivilege 4280 573dd6b96b2cb193e39ab445b2e83394_JaffaCakes118.exe Token: SeSystemProfilePrivilege 4280 573dd6b96b2cb193e39ab445b2e83394_JaffaCakes118.exe Token: SeSystemtimePrivilege 4280 573dd6b96b2cb193e39ab445b2e83394_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 4280 573dd6b96b2cb193e39ab445b2e83394_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 4280 573dd6b96b2cb193e39ab445b2e83394_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 4280 573dd6b96b2cb193e39ab445b2e83394_JaffaCakes118.exe Token: SeBackupPrivilege 4280 573dd6b96b2cb193e39ab445b2e83394_JaffaCakes118.exe Token: SeRestorePrivilege 4280 573dd6b96b2cb193e39ab445b2e83394_JaffaCakes118.exe Token: SeShutdownPrivilege 4280 573dd6b96b2cb193e39ab445b2e83394_JaffaCakes118.exe Token: SeDebugPrivilege 4280 573dd6b96b2cb193e39ab445b2e83394_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 4280 573dd6b96b2cb193e39ab445b2e83394_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 4280 573dd6b96b2cb193e39ab445b2e83394_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 4280 573dd6b96b2cb193e39ab445b2e83394_JaffaCakes118.exe Token: SeUndockPrivilege 4280 573dd6b96b2cb193e39ab445b2e83394_JaffaCakes118.exe Token: SeManageVolumePrivilege 4280 573dd6b96b2cb193e39ab445b2e83394_JaffaCakes118.exe Token: SeImpersonatePrivilege 4280 573dd6b96b2cb193e39ab445b2e83394_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 4280 573dd6b96b2cb193e39ab445b2e83394_JaffaCakes118.exe Token: 33 4280 573dd6b96b2cb193e39ab445b2e83394_JaffaCakes118.exe Token: 34 4280 573dd6b96b2cb193e39ab445b2e83394_JaffaCakes118.exe Token: 35 4280 573dd6b96b2cb193e39ab445b2e83394_JaffaCakes118.exe Token: 36 4280 573dd6b96b2cb193e39ab445b2e83394_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2056 System.exe Token: SeSecurityPrivilege 2056 System.exe Token: SeTakeOwnershipPrivilege 2056 System.exe Token: SeLoadDriverPrivilege 2056 System.exe Token: SeSystemProfilePrivilege 2056 System.exe Token: SeSystemtimePrivilege 2056 System.exe Token: SeProfSingleProcessPrivilege 2056 System.exe Token: SeIncBasePriorityPrivilege 2056 System.exe Token: SeCreatePagefilePrivilege 2056 System.exe Token: SeBackupPrivilege 2056 System.exe Token: SeRestorePrivilege 2056 System.exe Token: SeShutdownPrivilege 2056 System.exe Token: SeDebugPrivilege 2056 System.exe Token: SeSystemEnvironmentPrivilege 2056 System.exe Token: SeChangeNotifyPrivilege 2056 System.exe Token: SeRemoteShutdownPrivilege 2056 System.exe Token: SeUndockPrivilege 2056 System.exe Token: SeManageVolumePrivilege 2056 System.exe Token: SeImpersonatePrivilege 2056 System.exe Token: SeCreateGlobalPrivilege 2056 System.exe Token: 33 2056 System.exe Token: 34 2056 System.exe Token: 35 2056 System.exe Token: 36 2056 System.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
System.exepid process 2056 System.exe -
Suspicious use of WriteProcessMemory 37 IoCs
Processes:
573dd6b96b2cb193e39ab445b2e83394_JaffaCakes118.execmd.execmd.exeSystem.exedescription pid process target process PID 4280 wrote to memory of 1296 4280 573dd6b96b2cb193e39ab445b2e83394_JaffaCakes118.exe cmd.exe PID 4280 wrote to memory of 1296 4280 573dd6b96b2cb193e39ab445b2e83394_JaffaCakes118.exe cmd.exe PID 4280 wrote to memory of 1296 4280 573dd6b96b2cb193e39ab445b2e83394_JaffaCakes118.exe cmd.exe PID 4280 wrote to memory of 3140 4280 573dd6b96b2cb193e39ab445b2e83394_JaffaCakes118.exe cmd.exe PID 4280 wrote to memory of 3140 4280 573dd6b96b2cb193e39ab445b2e83394_JaffaCakes118.exe cmd.exe PID 4280 wrote to memory of 3140 4280 573dd6b96b2cb193e39ab445b2e83394_JaffaCakes118.exe cmd.exe PID 3140 wrote to memory of 3464 3140 cmd.exe attrib.exe PID 3140 wrote to memory of 3464 3140 cmd.exe attrib.exe PID 3140 wrote to memory of 3464 3140 cmd.exe attrib.exe PID 1296 wrote to memory of 2628 1296 cmd.exe attrib.exe PID 1296 wrote to memory of 2628 1296 cmd.exe attrib.exe PID 1296 wrote to memory of 2628 1296 cmd.exe attrib.exe PID 4280 wrote to memory of 2056 4280 573dd6b96b2cb193e39ab445b2e83394_JaffaCakes118.exe System.exe PID 4280 wrote to memory of 2056 4280 573dd6b96b2cb193e39ab445b2e83394_JaffaCakes118.exe System.exe PID 4280 wrote to memory of 2056 4280 573dd6b96b2cb193e39ab445b2e83394_JaffaCakes118.exe System.exe PID 2056 wrote to memory of 4340 2056 System.exe notepad.exe PID 2056 wrote to memory of 4340 2056 System.exe notepad.exe PID 2056 wrote to memory of 4340 2056 System.exe notepad.exe PID 2056 wrote to memory of 4340 2056 System.exe notepad.exe PID 2056 wrote to memory of 4340 2056 System.exe notepad.exe PID 2056 wrote to memory of 4340 2056 System.exe notepad.exe PID 2056 wrote to memory of 4340 2056 System.exe notepad.exe PID 2056 wrote to memory of 4340 2056 System.exe notepad.exe PID 2056 wrote to memory of 4340 2056 System.exe notepad.exe PID 2056 wrote to memory of 4340 2056 System.exe notepad.exe PID 2056 wrote to memory of 4340 2056 System.exe notepad.exe PID 2056 wrote to memory of 4340 2056 System.exe notepad.exe PID 2056 wrote to memory of 4340 2056 System.exe notepad.exe PID 2056 wrote to memory of 4340 2056 System.exe notepad.exe PID 2056 wrote to memory of 4340 2056 System.exe notepad.exe PID 2056 wrote to memory of 4340 2056 System.exe notepad.exe PID 2056 wrote to memory of 4340 2056 System.exe notepad.exe PID 2056 wrote to memory of 4340 2056 System.exe notepad.exe PID 2056 wrote to memory of 4340 2056 System.exe notepad.exe PID 2056 wrote to memory of 4340 2056 System.exe notepad.exe PID 2056 wrote to memory of 4340 2056 System.exe notepad.exe PID 2056 wrote to memory of 4340 2056 System.exe notepad.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
System.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion System.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern System.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" System.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 3464 attrib.exe 2628 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\573dd6b96b2cb193e39ab445b2e83394_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\573dd6b96b2cb193e39ab445b2e83394_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\573dd6b96b2cb193e39ab445b2e83394_JaffaCakes118.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\573dd6b96b2cb193e39ab445b2e83394_JaffaCakes118.exe" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Users\Admin\AppData\Roaming\Memory\System.exe"C:\Users\Admin\AppData\Roaming\Memory\System.exe"2⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Memory\System.exeFilesize
659KB
MD5573dd6b96b2cb193e39ab445b2e83394
SHA100a40367a59949abf338a9ec2f8f9e21f46f62aa
SHA256daadde44c8f95623f5d49dee98b69a9e929a4e15c02bbaef9ade1a3a5c8362f6
SHA51273b96a148fc898011ff4faff2eff125fc55ef9bf86c1efc3897edfc9082878d45c953194f7b51c9cbf819c6486e31701a4116ceda5b47c2e185892c5d7a1a15a
-
memory/2056-71-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2056-73-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2056-69-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2056-70-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2056-64-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2056-65-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2056-66-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2056-67-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2056-77-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2056-68-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2056-76-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2056-75-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2056-72-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2056-61-0x00000000022A0000-0x00000000022A1000-memory.dmpFilesize
4KB
-
memory/2056-74-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/4280-0-0x0000000002140000-0x0000000002141000-memory.dmpFilesize
4KB
-
memory/4280-63-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/4340-62-0x0000000001170000-0x0000000001171000-memory.dmpFilesize
4KB