Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
19-05-2024 20:50
Behavioral task
behavioral1
Sample
5b67e0d6be1db935e2779f0e6746ddf2_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
5b67e0d6be1db935e2779f0e6746ddf2_JaffaCakes118.exe
Resource
win10v2004-20240508-en
General
-
Target
5b67e0d6be1db935e2779f0e6746ddf2_JaffaCakes118.exe
-
Size
747KB
-
MD5
5b67e0d6be1db935e2779f0e6746ddf2
-
SHA1
38b9a136e53d24404c96d3124cf85d48c1f313ab
-
SHA256
86d57c0daef1c23954e3ea2323935c745ccc9962b2e3988e02e52225549f13ab
-
SHA512
faa1a25ac236b077c5fdb7ba0bf5e8f4314e7b4a8d078763de901ced08838e359e4cf896170b72278a00da4c18cfa9bd5052bece86bcf8da61ef8dfb393bd08f
-
SSDEEP
12288:fk0QVlhmPojAPTMEsUTg0oChO/Q2JbsbjPbN5qhRTtYe3f+Iw86k/R/fsvv:s0QRWoJEfg0oChGdJQbjPbNW5tYeP+Gy
Malware Config
Extracted
darkcomet
Guest16
minou470.no-ip.biz:81
DC_MUTEX-ASL007U
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
g9ZKMwMSwJF4
-
install
true
-
offline_keylogger
true
-
password
sid
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
5b67e0d6be1db935e2779f0e6746ddf2_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\msdcsc.exe" 5b67e0d6be1db935e2779f0e6746ddf2_JaffaCakes118.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 2288 cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 3028 msdcsc.exe -
Loads dropped DLL 2 IoCs
Processes:
5b67e0d6be1db935e2779f0e6746ddf2_JaffaCakes118.exepid process 2208 5b67e0d6be1db935e2779f0e6746ddf2_JaffaCakes118.exe 2208 5b67e0d6be1db935e2779f0e6746ddf2_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
msdcsc.exe5b67e0d6be1db935e2779f0e6746ddf2_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3452737119-3959686427-228443150-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\msdcsc.exe" 5b67e0d6be1db935e2779f0e6746ddf2_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
5b67e0d6be1db935e2779f0e6746ddf2_JaffaCakes118.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 2208 5b67e0d6be1db935e2779f0e6746ddf2_JaffaCakes118.exe Token: SeSecurityPrivilege 2208 5b67e0d6be1db935e2779f0e6746ddf2_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 2208 5b67e0d6be1db935e2779f0e6746ddf2_JaffaCakes118.exe Token: SeLoadDriverPrivilege 2208 5b67e0d6be1db935e2779f0e6746ddf2_JaffaCakes118.exe Token: SeSystemProfilePrivilege 2208 5b67e0d6be1db935e2779f0e6746ddf2_JaffaCakes118.exe Token: SeSystemtimePrivilege 2208 5b67e0d6be1db935e2779f0e6746ddf2_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 2208 5b67e0d6be1db935e2779f0e6746ddf2_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2208 5b67e0d6be1db935e2779f0e6746ddf2_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 2208 5b67e0d6be1db935e2779f0e6746ddf2_JaffaCakes118.exe Token: SeBackupPrivilege 2208 5b67e0d6be1db935e2779f0e6746ddf2_JaffaCakes118.exe Token: SeRestorePrivilege 2208 5b67e0d6be1db935e2779f0e6746ddf2_JaffaCakes118.exe Token: SeShutdownPrivilege 2208 5b67e0d6be1db935e2779f0e6746ddf2_JaffaCakes118.exe Token: SeDebugPrivilege 2208 5b67e0d6be1db935e2779f0e6746ddf2_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 2208 5b67e0d6be1db935e2779f0e6746ddf2_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 2208 5b67e0d6be1db935e2779f0e6746ddf2_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 2208 5b67e0d6be1db935e2779f0e6746ddf2_JaffaCakes118.exe Token: SeUndockPrivilege 2208 5b67e0d6be1db935e2779f0e6746ddf2_JaffaCakes118.exe Token: SeManageVolumePrivilege 2208 5b67e0d6be1db935e2779f0e6746ddf2_JaffaCakes118.exe Token: SeImpersonatePrivilege 2208 5b67e0d6be1db935e2779f0e6746ddf2_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 2208 5b67e0d6be1db935e2779f0e6746ddf2_JaffaCakes118.exe Token: 33 2208 5b67e0d6be1db935e2779f0e6746ddf2_JaffaCakes118.exe Token: 34 2208 5b67e0d6be1db935e2779f0e6746ddf2_JaffaCakes118.exe Token: 35 2208 5b67e0d6be1db935e2779f0e6746ddf2_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 3028 msdcsc.exe Token: SeSecurityPrivilege 3028 msdcsc.exe Token: SeTakeOwnershipPrivilege 3028 msdcsc.exe Token: SeLoadDriverPrivilege 3028 msdcsc.exe Token: SeSystemProfilePrivilege 3028 msdcsc.exe Token: SeSystemtimePrivilege 3028 msdcsc.exe Token: SeProfSingleProcessPrivilege 3028 msdcsc.exe Token: SeIncBasePriorityPrivilege 3028 msdcsc.exe Token: SeCreatePagefilePrivilege 3028 msdcsc.exe Token: SeBackupPrivilege 3028 msdcsc.exe Token: SeRestorePrivilege 3028 msdcsc.exe Token: SeShutdownPrivilege 3028 msdcsc.exe Token: SeDebugPrivilege 3028 msdcsc.exe Token: SeSystemEnvironmentPrivilege 3028 msdcsc.exe Token: SeChangeNotifyPrivilege 3028 msdcsc.exe Token: SeRemoteShutdownPrivilege 3028 msdcsc.exe Token: SeUndockPrivilege 3028 msdcsc.exe Token: SeManageVolumePrivilege 3028 msdcsc.exe Token: SeImpersonatePrivilege 3028 msdcsc.exe Token: SeCreateGlobalPrivilege 3028 msdcsc.exe Token: 33 3028 msdcsc.exe Token: 34 3028 msdcsc.exe Token: 35 3028 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 3028 msdcsc.exe -
Suspicious use of WriteProcessMemory 12 IoCs
Processes:
5b67e0d6be1db935e2779f0e6746ddf2_JaffaCakes118.execmd.exedescription pid process target process PID 2208 wrote to memory of 2288 2208 5b67e0d6be1db935e2779f0e6746ddf2_JaffaCakes118.exe cmd.exe PID 2208 wrote to memory of 2288 2208 5b67e0d6be1db935e2779f0e6746ddf2_JaffaCakes118.exe cmd.exe PID 2208 wrote to memory of 2288 2208 5b67e0d6be1db935e2779f0e6746ddf2_JaffaCakes118.exe cmd.exe PID 2208 wrote to memory of 2288 2208 5b67e0d6be1db935e2779f0e6746ddf2_JaffaCakes118.exe cmd.exe PID 2208 wrote to memory of 3028 2208 5b67e0d6be1db935e2779f0e6746ddf2_JaffaCakes118.exe msdcsc.exe PID 2208 wrote to memory of 3028 2208 5b67e0d6be1db935e2779f0e6746ddf2_JaffaCakes118.exe msdcsc.exe PID 2208 wrote to memory of 3028 2208 5b67e0d6be1db935e2779f0e6746ddf2_JaffaCakes118.exe msdcsc.exe PID 2208 wrote to memory of 3028 2208 5b67e0d6be1db935e2779f0e6746ddf2_JaffaCakes118.exe msdcsc.exe PID 2288 wrote to memory of 2880 2288 cmd.exe PING.EXE PID 2288 wrote to memory of 2880 2288 cmd.exe PING.EXE PID 2288 wrote to memory of 2880 2288 cmd.exe PING.EXE PID 2288 wrote to memory of 2880 2288 cmd.exe PING.EXE
Processes
-
C:\Users\Admin\AppData\Local\Temp\5b67e0d6be1db935e2779f0e6746ddf2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\5b67e0d6be1db935e2779f0e6746ddf2_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Local\Temp\5b67e0d6be1db935e2779f0e6746ddf2_JaffaCakes118.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 43⤵
- Runs ping.exe
-
C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe"C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\msdcsc.exeFilesize
747KB
MD55b67e0d6be1db935e2779f0e6746ddf2
SHA138b9a136e53d24404c96d3124cf85d48c1f313ab
SHA25686d57c0daef1c23954e3ea2323935c745ccc9962b2e3988e02e52225549f13ab
SHA512faa1a25ac236b077c5fdb7ba0bf5e8f4314e7b4a8d078763de901ced08838e359e4cf896170b72278a00da4c18cfa9bd5052bece86bcf8da61ef8dfb393bd08f
-
memory/2208-0-0x0000000000260000-0x0000000000261000-memory.dmpFilesize
4KB
-
memory/2208-11-0x0000000000400000-0x00000000004C8000-memory.dmpFilesize
800KB
-
memory/3028-17-0x0000000000400000-0x00000000004C8000-memory.dmpFilesize
800KB
-
memory/3028-19-0x0000000000400000-0x00000000004C8000-memory.dmpFilesize
800KB
-
memory/3028-14-0x0000000000400000-0x00000000004C8000-memory.dmpFilesize
800KB
-
memory/3028-15-0x0000000000400000-0x00000000004C8000-memory.dmpFilesize
800KB
-
memory/3028-16-0x0000000000400000-0x00000000004C8000-memory.dmpFilesize
800KB
-
memory/3028-12-0x0000000000270000-0x0000000000271000-memory.dmpFilesize
4KB
-
memory/3028-18-0x0000000000400000-0x00000000004C8000-memory.dmpFilesize
800KB
-
memory/3028-13-0x0000000000400000-0x00000000004C8000-memory.dmpFilesize
800KB
-
memory/3028-20-0x0000000000400000-0x00000000004C8000-memory.dmpFilesize
800KB
-
memory/3028-21-0x0000000000400000-0x00000000004C8000-memory.dmpFilesize
800KB
-
memory/3028-22-0x0000000000400000-0x00000000004C8000-memory.dmpFilesize
800KB
-
memory/3028-23-0x0000000000400000-0x00000000004C8000-memory.dmpFilesize
800KB
-
memory/3028-24-0x0000000000400000-0x00000000004C8000-memory.dmpFilesize
800KB
-
memory/3028-25-0x0000000000400000-0x00000000004C8000-memory.dmpFilesize
800KB
-
memory/3028-26-0x0000000000400000-0x00000000004C8000-memory.dmpFilesize
800KB