Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
12/06/2024, 19:49
Behavioral task
behavioral1
Sample
a20f3a7d747f7b921b7f61cddd4e02e8_JaffaCakes118.exe
Resource
win7-20240508-en
windows7-x64
19 signatures
150 seconds
General
-
Target
a20f3a7d747f7b921b7f61cddd4e02e8_JaffaCakes118.exe
-
Size
253KB
-
MD5
a20f3a7d747f7b921b7f61cddd4e02e8
-
SHA1
7a63906dc0e006b7c6ada08c2cab329ec37f6010
-
SHA256
9d3877131ba099e0280613d5014d115ac85cd5200cc58818433379f7371d257e
-
SHA512
06e051790c648a0287385997bfbe9d9006cd052f51154e688d0dcad299be9db0d83f5c90cf146a22c19a70704d55844d863b9b46e03352481734f2c30669c8f0
-
SSDEEP
6144:5D7cY2fgssM7Wirg9KXylmRiL+QMeC/i6isqX7UovnONztByipwxZQqa:5l8E4w5huat7UovONzbXwUl
Malware Config
Extracted
Family
darkcomet
Botnet
Guest16
C2
richiflash.ddns.net:1604
richiflash.ddns.net:27015
Mutex
DC_MUTEX-92ZQAPJ
Attributes
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
WFcYVEvnPTaG
-
install
true
-
offline_keylogger
false
-
persistence
false
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" a20f3a7d747f7b921b7f61cddd4e02e8_JaffaCakes118.exe -
Modifies firewall policy service 2 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msdcsc.exe -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" msdcsc.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" msdcsc.exe -
Disables Task Manager via registry modification
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 1644 attrib.exe 2036 attrib.exe -
Executes dropped EXE 1 IoCs
pid Process 2648 msdcsc.exe -
Loads dropped DLL 2 IoCs
pid Process 2180 a20f3a7d747f7b921b7f61cddd4e02e8_JaffaCakes118.exe 2180 a20f3a7d747f7b921b7f61cddd4e02e8_JaffaCakes118.exe -
resource yara_rule behavioral1/memory/2180-0-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral1/files/0x0035000000015c7f-5.dat upx behavioral1/memory/2180-14-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral1/memory/2648-15-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral1/memory/2648-56-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral1/memory/2648-57-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral1/memory/2648-58-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral1/memory/2648-59-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral1/memory/2648-60-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral1/memory/2648-62-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral1/memory/2648-63-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral1/memory/2648-64-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral1/memory/2648-65-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral1/memory/2648-67-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral1/memory/2648-68-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral1/memory/2648-69-0x0000000000400000-0x00000000004BA000-memory.dmp upx -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" a20f3a7d747f7b921b7f61cddd4e02e8_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2648 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2180 a20f3a7d747f7b921b7f61cddd4e02e8_JaffaCakes118.exe Token: SeSecurityPrivilege 2180 a20f3a7d747f7b921b7f61cddd4e02e8_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 2180 a20f3a7d747f7b921b7f61cddd4e02e8_JaffaCakes118.exe Token: SeLoadDriverPrivilege 2180 a20f3a7d747f7b921b7f61cddd4e02e8_JaffaCakes118.exe Token: SeSystemProfilePrivilege 2180 a20f3a7d747f7b921b7f61cddd4e02e8_JaffaCakes118.exe Token: SeSystemtimePrivilege 2180 a20f3a7d747f7b921b7f61cddd4e02e8_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 2180 a20f3a7d747f7b921b7f61cddd4e02e8_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2180 a20f3a7d747f7b921b7f61cddd4e02e8_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 2180 a20f3a7d747f7b921b7f61cddd4e02e8_JaffaCakes118.exe Token: SeBackupPrivilege 2180 a20f3a7d747f7b921b7f61cddd4e02e8_JaffaCakes118.exe Token: SeRestorePrivilege 2180 a20f3a7d747f7b921b7f61cddd4e02e8_JaffaCakes118.exe Token: SeShutdownPrivilege 2180 a20f3a7d747f7b921b7f61cddd4e02e8_JaffaCakes118.exe Token: SeDebugPrivilege 2180 a20f3a7d747f7b921b7f61cddd4e02e8_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 2180 a20f3a7d747f7b921b7f61cddd4e02e8_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 2180 a20f3a7d747f7b921b7f61cddd4e02e8_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 2180 a20f3a7d747f7b921b7f61cddd4e02e8_JaffaCakes118.exe Token: SeUndockPrivilege 2180 a20f3a7d747f7b921b7f61cddd4e02e8_JaffaCakes118.exe Token: SeManageVolumePrivilege 2180 a20f3a7d747f7b921b7f61cddd4e02e8_JaffaCakes118.exe Token: SeImpersonatePrivilege 2180 a20f3a7d747f7b921b7f61cddd4e02e8_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 2180 a20f3a7d747f7b921b7f61cddd4e02e8_JaffaCakes118.exe Token: 33 2180 a20f3a7d747f7b921b7f61cddd4e02e8_JaffaCakes118.exe Token: 34 2180 a20f3a7d747f7b921b7f61cddd4e02e8_JaffaCakes118.exe Token: 35 2180 a20f3a7d747f7b921b7f61cddd4e02e8_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2648 msdcsc.exe Token: SeSecurityPrivilege 2648 msdcsc.exe Token: SeTakeOwnershipPrivilege 2648 msdcsc.exe Token: SeLoadDriverPrivilege 2648 msdcsc.exe Token: SeSystemProfilePrivilege 2648 msdcsc.exe Token: SeSystemtimePrivilege 2648 msdcsc.exe Token: SeProfSingleProcessPrivilege 2648 msdcsc.exe Token: SeIncBasePriorityPrivilege 2648 msdcsc.exe Token: SeCreatePagefilePrivilege 2648 msdcsc.exe Token: SeBackupPrivilege 2648 msdcsc.exe Token: SeRestorePrivilege 2648 msdcsc.exe Token: SeShutdownPrivilege 2648 msdcsc.exe Token: SeDebugPrivilege 2648 msdcsc.exe Token: SeSystemEnvironmentPrivilege 2648 msdcsc.exe Token: SeChangeNotifyPrivilege 2648 msdcsc.exe Token: SeRemoteShutdownPrivilege 2648 msdcsc.exe Token: SeUndockPrivilege 2648 msdcsc.exe Token: SeManageVolumePrivilege 2648 msdcsc.exe Token: SeImpersonatePrivilege 2648 msdcsc.exe Token: SeCreateGlobalPrivilege 2648 msdcsc.exe Token: 33 2648 msdcsc.exe Token: 34 2648 msdcsc.exe Token: 35 2648 msdcsc.exe -
Suspicious use of WriteProcessMemory 51 IoCs
description pid Process procid_target PID 2180 wrote to memory of 3064 2180 a20f3a7d747f7b921b7f61cddd4e02e8_JaffaCakes118.exe 28 PID 2180 wrote to memory of 3064 2180 a20f3a7d747f7b921b7f61cddd4e02e8_JaffaCakes118.exe 28 PID 2180 wrote to memory of 3064 2180 a20f3a7d747f7b921b7f61cddd4e02e8_JaffaCakes118.exe 28 PID 2180 wrote to memory of 3064 2180 a20f3a7d747f7b921b7f61cddd4e02e8_JaffaCakes118.exe 28 PID 2180 wrote to memory of 2444 2180 a20f3a7d747f7b921b7f61cddd4e02e8_JaffaCakes118.exe 29 PID 2180 wrote to memory of 2444 2180 a20f3a7d747f7b921b7f61cddd4e02e8_JaffaCakes118.exe 29 PID 2180 wrote to memory of 2444 2180 a20f3a7d747f7b921b7f61cddd4e02e8_JaffaCakes118.exe 29 PID 2180 wrote to memory of 2444 2180 a20f3a7d747f7b921b7f61cddd4e02e8_JaffaCakes118.exe 29 PID 2444 wrote to memory of 2036 2444 cmd.exe 32 PID 3064 wrote to memory of 1644 3064 cmd.exe 33 PID 2444 wrote to memory of 2036 2444 cmd.exe 32 PID 2444 wrote to memory of 2036 2444 cmd.exe 32 PID 3064 wrote to memory of 1644 3064 cmd.exe 33 PID 2444 wrote to memory of 2036 2444 cmd.exe 32 PID 3064 wrote to memory of 1644 3064 cmd.exe 33 PID 3064 wrote to memory of 1644 3064 cmd.exe 33 PID 2180 wrote to memory of 2648 2180 a20f3a7d747f7b921b7f61cddd4e02e8_JaffaCakes118.exe 34 PID 2180 wrote to memory of 2648 2180 a20f3a7d747f7b921b7f61cddd4e02e8_JaffaCakes118.exe 34 PID 2180 wrote to memory of 2648 2180 a20f3a7d747f7b921b7f61cddd4e02e8_JaffaCakes118.exe 34 PID 2180 wrote to memory of 2648 2180 a20f3a7d747f7b921b7f61cddd4e02e8_JaffaCakes118.exe 34 PID 2648 wrote to memory of 2652 2648 msdcsc.exe 35 PID 2648 wrote to memory of 2652 2648 msdcsc.exe 35 PID 2648 wrote to memory of 2652 2648 msdcsc.exe 35 PID 2648 wrote to memory of 2652 2648 msdcsc.exe 35 PID 2648 wrote to memory of 2040 2648 msdcsc.exe 36 PID 2648 wrote to memory of 2040 2648 msdcsc.exe 36 PID 2648 wrote to memory of 2040 2648 msdcsc.exe 36 PID 2648 wrote to memory of 2040 2648 msdcsc.exe 36 PID 2648 wrote to memory of 2904 2648 msdcsc.exe 37 PID 2648 wrote to memory of 2904 2648 msdcsc.exe 37 PID 2648 wrote to memory of 2904 2648 msdcsc.exe 37 PID 2648 wrote to memory of 2904 2648 msdcsc.exe 37 PID 2648 wrote to memory of 2904 2648 msdcsc.exe 37 PID 2648 wrote to memory of 2904 2648 msdcsc.exe 37 PID 2648 wrote to memory of 2904 2648 msdcsc.exe 37 PID 2648 wrote to memory of 2904 2648 msdcsc.exe 37 PID 2648 wrote to memory of 2904 2648 msdcsc.exe 37 PID 2648 wrote to memory of 2904 2648 msdcsc.exe 37 PID 2648 wrote to memory of 2904 2648 msdcsc.exe 37 PID 2648 wrote to memory of 2904 2648 msdcsc.exe 37 PID 2648 wrote to memory of 2904 2648 msdcsc.exe 37 PID 2648 wrote to memory of 2904 2648 msdcsc.exe 37 PID 2648 wrote to memory of 2904 2648 msdcsc.exe 37 PID 2648 wrote to memory of 2904 2648 msdcsc.exe 37 PID 2648 wrote to memory of 2904 2648 msdcsc.exe 37 PID 2648 wrote to memory of 2904 2648 msdcsc.exe 37 PID 2648 wrote to memory of 2904 2648 msdcsc.exe 37 PID 2648 wrote to memory of 2904 2648 msdcsc.exe 37 PID 2648 wrote to memory of 2904 2648 msdcsc.exe 37 PID 2648 wrote to memory of 2904 2648 msdcsc.exe 37 PID 2648 wrote to memory of 2904 2648 msdcsc.exe 37 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" msdcsc.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 2036 attrib.exe 1644 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a20f3a7d747f7b921b7f61cddd4e02e8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a20f3a7d747f7b921b7f61cddd4e02e8_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2180 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\a20f3a7d747f7b921b7f61cddd4e02e8_JaffaCakes118.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
PID:3064 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\a20f3a7d747f7b921b7f61cddd4e02e8_JaffaCakes118.exe" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1644
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
PID:2444 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2036
-
-
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"2⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
PID:2648 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵PID:2652
-
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"3⤵PID:2040
-
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵PID:2904
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
253KB
MD5a20f3a7d747f7b921b7f61cddd4e02e8
SHA17a63906dc0e006b7c6ada08c2cab329ec37f6010
SHA2569d3877131ba099e0280613d5014d115ac85cd5200cc58818433379f7371d257e
SHA51206e051790c648a0287385997bfbe9d9006cd052f51154e688d0dcad299be9db0d83f5c90cf146a22c19a70704d55844d863b9b46e03352481734f2c30669c8f0