Analysis
-
max time kernel
148s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240426-en -
resource tags
arch:x64arch:x86image:win10v2004-20240426-enlocale:en-usos:windows10-2004-x64system -
submitted
21-05-2024 19:07
Behavioral task
behavioral1
Sample
646df1687944b72c9b88ae9b867d2609_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
646df1687944b72c9b88ae9b867d2609_JaffaCakes118.exe
-
Size
807KB
-
MD5
646df1687944b72c9b88ae9b867d2609
-
SHA1
69d02cea4e83bcae2ca82a46da826b532c48524e
-
SHA256
bce176ac6933b54d90e4d933e8501d240907a2b50832a1bd10777c45d668d82a
-
SHA512
a6a72990eeacca483eb3972d10113be6697ea0b296d71e6827bac92af0e59e07ac54d2f420e4a1acbbd77091bf4c316cbee2b418ccc23c592cc2ac93cad1f352
-
SSDEEP
12288:+9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hjy1T2GR3:KZ1xuVVjfFoynPaVBUR8f+kN10EBByj3
Malware Config
Extracted
darkcomet
Guest16
tarikozturk1287.duckdns.org:1604
DC_MUTEX-1X71TEG
-
InstallPath
svchost\svchost.exe
-
gencode
3Q1BriCVqxr1
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
646df1687944b72c9b88ae9b867d2609_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\svchost\\svchost.exe" 646df1687944b72c9b88ae9b867d2609_JaffaCakes118.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" svchost.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" svchost.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile svchost.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" svchost.exe -
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" svchost.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
svchost.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" svchost.exe -
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
646df1687944b72c9b88ae9b867d2609_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\Control Panel\International\Geo\Nation 646df1687944b72c9b88ae9b867d2609_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
Processes:
svchost.exepid process 852 svchost.exe -
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" svchost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
646df1687944b72c9b88ae9b867d2609_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1162180587-977231257-2194346871-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\svchost\\svchost.exe" 646df1687944b72c9b88ae9b867d2609_JaffaCakes118.exe -
Drops file in System32 directory 3 IoCs
Processes:
646df1687944b72c9b88ae9b867d2609_JaffaCakes118.exedescription ioc process File created C:\Windows\SysWOW64\svchost\svchost.exe 646df1687944b72c9b88ae9b867d2609_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\svchost\svchost.exe 646df1687944b72c9b88ae9b867d2609_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\svchost\ 646df1687944b72c9b88ae9b867d2609_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
svchost.exepid process 852 svchost.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
646df1687944b72c9b88ae9b867d2609_JaffaCakes118.exesvchost.exedescription pid process Token: SeIncreaseQuotaPrivilege 1168 646df1687944b72c9b88ae9b867d2609_JaffaCakes118.exe Token: SeSecurityPrivilege 1168 646df1687944b72c9b88ae9b867d2609_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 1168 646df1687944b72c9b88ae9b867d2609_JaffaCakes118.exe Token: SeLoadDriverPrivilege 1168 646df1687944b72c9b88ae9b867d2609_JaffaCakes118.exe Token: SeSystemProfilePrivilege 1168 646df1687944b72c9b88ae9b867d2609_JaffaCakes118.exe Token: SeSystemtimePrivilege 1168 646df1687944b72c9b88ae9b867d2609_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 1168 646df1687944b72c9b88ae9b867d2609_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 1168 646df1687944b72c9b88ae9b867d2609_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 1168 646df1687944b72c9b88ae9b867d2609_JaffaCakes118.exe Token: SeBackupPrivilege 1168 646df1687944b72c9b88ae9b867d2609_JaffaCakes118.exe Token: SeRestorePrivilege 1168 646df1687944b72c9b88ae9b867d2609_JaffaCakes118.exe Token: SeShutdownPrivilege 1168 646df1687944b72c9b88ae9b867d2609_JaffaCakes118.exe Token: SeDebugPrivilege 1168 646df1687944b72c9b88ae9b867d2609_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 1168 646df1687944b72c9b88ae9b867d2609_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 1168 646df1687944b72c9b88ae9b867d2609_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 1168 646df1687944b72c9b88ae9b867d2609_JaffaCakes118.exe Token: SeUndockPrivilege 1168 646df1687944b72c9b88ae9b867d2609_JaffaCakes118.exe Token: SeManageVolumePrivilege 1168 646df1687944b72c9b88ae9b867d2609_JaffaCakes118.exe Token: SeImpersonatePrivilege 1168 646df1687944b72c9b88ae9b867d2609_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 1168 646df1687944b72c9b88ae9b867d2609_JaffaCakes118.exe Token: 33 1168 646df1687944b72c9b88ae9b867d2609_JaffaCakes118.exe Token: 34 1168 646df1687944b72c9b88ae9b867d2609_JaffaCakes118.exe Token: 35 1168 646df1687944b72c9b88ae9b867d2609_JaffaCakes118.exe Token: 36 1168 646df1687944b72c9b88ae9b867d2609_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 852 svchost.exe Token: SeSecurityPrivilege 852 svchost.exe Token: SeTakeOwnershipPrivilege 852 svchost.exe Token: SeLoadDriverPrivilege 852 svchost.exe Token: SeSystemProfilePrivilege 852 svchost.exe Token: SeSystemtimePrivilege 852 svchost.exe Token: SeProfSingleProcessPrivilege 852 svchost.exe Token: SeIncBasePriorityPrivilege 852 svchost.exe Token: SeCreatePagefilePrivilege 852 svchost.exe Token: SeBackupPrivilege 852 svchost.exe Token: SeRestorePrivilege 852 svchost.exe Token: SeShutdownPrivilege 852 svchost.exe Token: SeDebugPrivilege 852 svchost.exe Token: SeSystemEnvironmentPrivilege 852 svchost.exe Token: SeChangeNotifyPrivilege 852 svchost.exe Token: SeRemoteShutdownPrivilege 852 svchost.exe Token: SeUndockPrivilege 852 svchost.exe Token: SeManageVolumePrivilege 852 svchost.exe Token: SeImpersonatePrivilege 852 svchost.exe Token: SeCreateGlobalPrivilege 852 svchost.exe Token: 33 852 svchost.exe Token: 34 852 svchost.exe Token: 35 852 svchost.exe Token: 36 852 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
svchost.exepid process 852 svchost.exe -
Suspicious use of WriteProcessMemory 9 IoCs
Processes:
646df1687944b72c9b88ae9b867d2609_JaffaCakes118.execmd.exedescription pid process target process PID 1168 wrote to memory of 4848 1168 646df1687944b72c9b88ae9b867d2609_JaffaCakes118.exe cmd.exe PID 1168 wrote to memory of 4848 1168 646df1687944b72c9b88ae9b867d2609_JaffaCakes118.exe cmd.exe PID 1168 wrote to memory of 4848 1168 646df1687944b72c9b88ae9b867d2609_JaffaCakes118.exe cmd.exe PID 1168 wrote to memory of 852 1168 646df1687944b72c9b88ae9b867d2609_JaffaCakes118.exe svchost.exe PID 1168 wrote to memory of 852 1168 646df1687944b72c9b88ae9b867d2609_JaffaCakes118.exe svchost.exe PID 1168 wrote to memory of 852 1168 646df1687944b72c9b88ae9b867d2609_JaffaCakes118.exe svchost.exe PID 4848 wrote to memory of 1540 4848 cmd.exe attrib.exe PID 4848 wrote to memory of 1540 4848 cmd.exe attrib.exe PID 4848 wrote to memory of 1540 4848 cmd.exe attrib.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
svchost.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion svchost.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern svchost.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" svchost.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\646df1687944b72c9b88ae9b867d2609_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\646df1687944b72c9b88ae9b867d2609_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\svchost\svchost.exe"C:\Windows\system32\svchost\svchost.exe"2⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- System policy modification
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\SysWOW64\svchost\svchost.exeFilesize
807KB
MD5646df1687944b72c9b88ae9b867d2609
SHA169d02cea4e83bcae2ca82a46da826b532c48524e
SHA256bce176ac6933b54d90e4d933e8501d240907a2b50832a1bd10777c45d668d82a
SHA512a6a72990eeacca483eb3972d10113be6697ea0b296d71e6827bac92af0e59e07ac54d2f420e4a1acbbd77091bf4c316cbee2b418ccc23c592cc2ac93cad1f352
-
memory/852-13-0x00000000025D0000-0x00000000025D1000-memory.dmpFilesize
4KB
-
memory/852-15-0x0000000000400000-0x00000000004D7000-memory.dmpFilesize
860KB
-
memory/852-17-0x0000000000400000-0x00000000004D7000-memory.dmpFilesize
860KB
-
memory/1168-0-0x00000000005C0000-0x00000000005C1000-memory.dmpFilesize
4KB
-
memory/1168-14-0x0000000000400000-0x00000000004D7000-memory.dmpFilesize
860KB