Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
20-05-2024 18:48
Static task
static1
Behavioral task
behavioral1
Sample
60a23c51894524a344bfecab6532dc7f_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
60a23c51894524a344bfecab6532dc7f_JaffaCakes118.exe
-
Size
541KB
-
MD5
60a23c51894524a344bfecab6532dc7f
-
SHA1
fb84a84cb7e6ce0ecf8fc75ffcf162ddcaffcdd7
-
SHA256
57ea796132c2aaab208d837a2405013f5aff35f7808db136032540ca5af6388f
-
SHA512
a43f13af5fc0beeec1802a8541cd79104766e82b4770221e0e8bfe78df48b04267d0b777a457badee7a548d90bcd7786048e616e666e566a80e20d8cf4a3ca52
-
SSDEEP
12288:T2ghLvPhXpe3PliT+tcuncgmkJx6uWyQ9I0xyWgs+1r:1XhZgPloumkJx/PCILWl+l
Malware Config
Extracted
darkcomet
Guest16
37.45.181.235:1604
coldwarn.ddns.net:1604
coldwarn.ddns.net:8621
valparusfive.ddns.net:1604
DC_MUTEX-J03NXGL
-
InstallPath
MSDC1SC\msd1csc.exe
-
gencode
jyVpYcNsHGRM
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate1
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
Gekon.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDC1SC\\msd1csc.exe" Gekon.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
msd1csc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msd1csc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msd1csc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msd1csc.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
msd1csc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" msd1csc.exe -
Processes:
msd1csc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msd1csc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msd1csc.exe -
Disables Task Manager via registry modification
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 3080 attrib.exe 3676 attrib.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
60a23c51894524a344bfecab6532dc7f_JaffaCakes118.exeGekon.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation 60a23c51894524a344bfecab6532dc7f_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\Control Panel\International\Geo\Nation Gekon.exe -
Executes dropped EXE 2 IoCs
Processes:
Gekon.exemsd1csc.exepid process 3892 Gekon.exe 3700 msd1csc.exe -
Processes:
resource yara_rule C:\Users\Admin\AppData\Roaming\Gekon.exe upx behavioral2/memory/3892-12-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3700-75-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3892-77-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3700-79-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3700-81-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3700-83-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3700-85-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3700-87-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3700-89-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3700-90-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3700-92-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Processes:
msd1csc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msd1csc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msd1csc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
Gekon.exemsd1csc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDC1SC\\msd1csc.exe" Gekon.exe Set value (str) \REGISTRY\USER\S-1-5-21-711569230-3659488422-571408806-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate1 = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDC1SC\\msd1csc.exe" msd1csc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
Gekon.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ Gekon.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msd1csc.exepid process 3700 msd1csc.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
Gekon.exemsd1csc.exedescription pid process Token: SeIncreaseQuotaPrivilege 3892 Gekon.exe Token: SeSecurityPrivilege 3892 Gekon.exe Token: SeTakeOwnershipPrivilege 3892 Gekon.exe Token: SeLoadDriverPrivilege 3892 Gekon.exe Token: SeSystemProfilePrivilege 3892 Gekon.exe Token: SeSystemtimePrivilege 3892 Gekon.exe Token: SeProfSingleProcessPrivilege 3892 Gekon.exe Token: SeIncBasePriorityPrivilege 3892 Gekon.exe Token: SeCreatePagefilePrivilege 3892 Gekon.exe Token: SeBackupPrivilege 3892 Gekon.exe Token: SeRestorePrivilege 3892 Gekon.exe Token: SeShutdownPrivilege 3892 Gekon.exe Token: SeDebugPrivilege 3892 Gekon.exe Token: SeSystemEnvironmentPrivilege 3892 Gekon.exe Token: SeChangeNotifyPrivilege 3892 Gekon.exe Token: SeRemoteShutdownPrivilege 3892 Gekon.exe Token: SeUndockPrivilege 3892 Gekon.exe Token: SeManageVolumePrivilege 3892 Gekon.exe Token: SeImpersonatePrivilege 3892 Gekon.exe Token: SeCreateGlobalPrivilege 3892 Gekon.exe Token: 33 3892 Gekon.exe Token: 34 3892 Gekon.exe Token: 35 3892 Gekon.exe Token: 36 3892 Gekon.exe Token: SeIncreaseQuotaPrivilege 3700 msd1csc.exe Token: SeSecurityPrivilege 3700 msd1csc.exe Token: SeTakeOwnershipPrivilege 3700 msd1csc.exe Token: SeLoadDriverPrivilege 3700 msd1csc.exe Token: SeSystemProfilePrivilege 3700 msd1csc.exe Token: SeSystemtimePrivilege 3700 msd1csc.exe Token: SeProfSingleProcessPrivilege 3700 msd1csc.exe Token: SeIncBasePriorityPrivilege 3700 msd1csc.exe Token: SeCreatePagefilePrivilege 3700 msd1csc.exe Token: SeBackupPrivilege 3700 msd1csc.exe Token: SeRestorePrivilege 3700 msd1csc.exe Token: SeShutdownPrivilege 3700 msd1csc.exe Token: SeDebugPrivilege 3700 msd1csc.exe Token: SeSystemEnvironmentPrivilege 3700 msd1csc.exe Token: SeChangeNotifyPrivilege 3700 msd1csc.exe Token: SeRemoteShutdownPrivilege 3700 msd1csc.exe Token: SeUndockPrivilege 3700 msd1csc.exe Token: SeManageVolumePrivilege 3700 msd1csc.exe Token: SeImpersonatePrivilege 3700 msd1csc.exe Token: SeCreateGlobalPrivilege 3700 msd1csc.exe Token: 33 3700 msd1csc.exe Token: 34 3700 msd1csc.exe Token: 35 3700 msd1csc.exe Token: 36 3700 msd1csc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msd1csc.exepid process 3700 msd1csc.exe -
Suspicious use of WriteProcessMemory 57 IoCs
Processes:
60a23c51894524a344bfecab6532dc7f_JaffaCakes118.exeGekon.execmd.execmd.exemsd1csc.exedescription pid process target process PID 4600 wrote to memory of 3892 4600 60a23c51894524a344bfecab6532dc7f_JaffaCakes118.exe Gekon.exe PID 4600 wrote to memory of 3892 4600 60a23c51894524a344bfecab6532dc7f_JaffaCakes118.exe Gekon.exe PID 4600 wrote to memory of 3892 4600 60a23c51894524a344bfecab6532dc7f_JaffaCakes118.exe Gekon.exe PID 3892 wrote to memory of 4580 3892 Gekon.exe cmd.exe PID 3892 wrote to memory of 4580 3892 Gekon.exe cmd.exe PID 3892 wrote to memory of 4580 3892 Gekon.exe cmd.exe PID 3892 wrote to memory of 908 3892 Gekon.exe cmd.exe PID 3892 wrote to memory of 908 3892 Gekon.exe cmd.exe PID 3892 wrote to memory of 908 3892 Gekon.exe cmd.exe PID 3892 wrote to memory of 2312 3892 Gekon.exe notepad.exe PID 3892 wrote to memory of 2312 3892 Gekon.exe notepad.exe PID 3892 wrote to memory of 2312 3892 Gekon.exe notepad.exe PID 3892 wrote to memory of 2312 3892 Gekon.exe notepad.exe PID 3892 wrote to memory of 2312 3892 Gekon.exe notepad.exe PID 3892 wrote to memory of 2312 3892 Gekon.exe notepad.exe PID 3892 wrote to memory of 2312 3892 Gekon.exe notepad.exe PID 3892 wrote to memory of 2312 3892 Gekon.exe notepad.exe PID 3892 wrote to memory of 2312 3892 Gekon.exe notepad.exe PID 3892 wrote to memory of 2312 3892 Gekon.exe notepad.exe PID 3892 wrote to memory of 2312 3892 Gekon.exe notepad.exe PID 3892 wrote to memory of 2312 3892 Gekon.exe notepad.exe PID 3892 wrote to memory of 2312 3892 Gekon.exe notepad.exe PID 3892 wrote to memory of 2312 3892 Gekon.exe notepad.exe PID 3892 wrote to memory of 2312 3892 Gekon.exe notepad.exe PID 3892 wrote to memory of 2312 3892 Gekon.exe notepad.exe PID 3892 wrote to memory of 2312 3892 Gekon.exe notepad.exe PID 4580 wrote to memory of 3080 4580 cmd.exe attrib.exe PID 4580 wrote to memory of 3080 4580 cmd.exe attrib.exe PID 4580 wrote to memory of 3080 4580 cmd.exe attrib.exe PID 908 wrote to memory of 3676 908 cmd.exe attrib.exe PID 908 wrote to memory of 3676 908 cmd.exe attrib.exe PID 908 wrote to memory of 3676 908 cmd.exe attrib.exe PID 3892 wrote to memory of 3700 3892 Gekon.exe msd1csc.exe PID 3892 wrote to memory of 3700 3892 Gekon.exe msd1csc.exe PID 3892 wrote to memory of 3700 3892 Gekon.exe msd1csc.exe PID 3700 wrote to memory of 620 3700 msd1csc.exe notepad.exe PID 3700 wrote to memory of 620 3700 msd1csc.exe notepad.exe PID 3700 wrote to memory of 620 3700 msd1csc.exe notepad.exe PID 3700 wrote to memory of 620 3700 msd1csc.exe notepad.exe PID 3700 wrote to memory of 620 3700 msd1csc.exe notepad.exe PID 3700 wrote to memory of 620 3700 msd1csc.exe notepad.exe PID 3700 wrote to memory of 620 3700 msd1csc.exe notepad.exe PID 3700 wrote to memory of 620 3700 msd1csc.exe notepad.exe PID 3700 wrote to memory of 620 3700 msd1csc.exe notepad.exe PID 3700 wrote to memory of 620 3700 msd1csc.exe notepad.exe PID 3700 wrote to memory of 620 3700 msd1csc.exe notepad.exe PID 3700 wrote to memory of 620 3700 msd1csc.exe notepad.exe PID 3700 wrote to memory of 620 3700 msd1csc.exe notepad.exe PID 3700 wrote to memory of 620 3700 msd1csc.exe notepad.exe PID 3700 wrote to memory of 620 3700 msd1csc.exe notepad.exe PID 3700 wrote to memory of 620 3700 msd1csc.exe notepad.exe PID 3700 wrote to memory of 620 3700 msd1csc.exe notepad.exe PID 3700 wrote to memory of 620 3700 msd1csc.exe notepad.exe PID 3700 wrote to memory of 620 3700 msd1csc.exe notepad.exe PID 3700 wrote to memory of 620 3700 msd1csc.exe notepad.exe PID 3700 wrote to memory of 620 3700 msd1csc.exe notepad.exe PID 3700 wrote to memory of 620 3700 msd1csc.exe notepad.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
msd1csc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern msd1csc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" msd1csc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion msd1csc.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 3080 attrib.exe 3676 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\60a23c51894524a344bfecab6532dc7f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\60a23c51894524a344bfecab6532dc7f_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Roaming\Gekon.exe"C:\Users\Admin\AppData\Roaming\Gekon.exe"2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming\Gekon.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Roaming\Gekon.exe" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Roaming" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Roaming" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
-
C:\Users\Admin\AppData\Local\Temp\MSDC1SC\msd1csc.exe"C:\Users\Admin\AppData\Local\Temp\MSDC1SC\msd1csc.exe"3⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\notepad.exenotepad4⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Roaming\Gekon.exeFilesize
252KB
MD56f648790e3f364b7885b15a75dc84e90
SHA11e53de6d72c77796efc313becf40575cf0a464db
SHA25630bcb57982cf131921d229ea13f6b1086bdd722266fde287609a31fb1896184a
SHA5128bb05a9d42e65016fe171cd3d6ed38c06c7b990aad3efdb5494bd89dd29b2031b3bce3aeb4f4999052a4a6ba95a18465da15203fd599dd35935b7fd432d0aa40
-
memory/620-76-0x0000000000990000-0x0000000000991000-memory.dmpFilesize
4KB
-
memory/2312-16-0x0000000000E30000-0x0000000000E31000-memory.dmpFilesize
4KB
-
memory/3700-83-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/3700-75-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/3700-79-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/3700-81-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/3700-85-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/3700-87-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/3700-89-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/3700-90-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/3700-92-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/3892-13-0x00000000007F0000-0x00000000007F1000-memory.dmpFilesize
4KB
-
memory/3892-77-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB
-
memory/3892-12-0x0000000000400000-0x00000000004B7000-memory.dmpFilesize
732KB