Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
14/06/2024, 00:09
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
a740572c4f3f7536b4ecb865b442efff_JaffaCakes118.exe
Resource
win7-20240611-en
windows7-x64
12 signatures
150 seconds
General
-
Target
a740572c4f3f7536b4ecb865b442efff_JaffaCakes118.exe
-
Size
253KB
-
MD5
a740572c4f3f7536b4ecb865b442efff
-
SHA1
7568ce11bb45757ed8f24b5a0b68b9d876949e0f
-
SHA256
157a376e0e9e28aa1ba429b2fbb1776a938e767d3c63dda1bf5e357888d49d7e
-
SHA512
574a167dc10f008cabc73ff5927ff7e633660e3dc5c5191bfc2cc0dfef27dee0e608f06c93542ff3fe21fe1221faf8899e18efd602679e4ad2a2f329bb1be65e
-
SSDEEP
6144:LD7cY2fgssM7Wirg9KXylmRiL+QMeC/i6isqX7UovnONztByipwxZl:Ll8E4w5huat7UovONzbXwx
Malware Config
Extracted
Family
darkcomet
Botnet
Guest16
C2
192.168.1.2:8080
fixs2.hopto.rog:8080
Mutex
DC_MUTEX-H774XG1
Attributes
-
InstallPath
MSDCSC\msdcsc.com
-
gencode
NoUENzT16G7i
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.com" ôîòî íîæ.com -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 3012 attrib.exe 2672 attrib.exe -
Executes dropped EXE 2 IoCs
pid Process 1640 ôîòî íîæ.com 1928 msdcsc.com -
Loads dropped DLL 4 IoCs
pid Process 1936 a740572c4f3f7536b4ecb865b442efff_JaffaCakes118.exe 1936 a740572c4f3f7536b4ecb865b442efff_JaffaCakes118.exe 1640 ôîòî íîæ.com 1640 ôîòî íîæ.com -
resource yara_rule behavioral1/files/0x00090000000122d6-6.dat upx behavioral1/memory/1640-9-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral1/memory/1640-23-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral1/memory/1928-24-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral1/memory/1928-64-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral1/memory/1928-66-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral1/memory/1928-68-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral1/memory/1928-70-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral1/memory/1928-71-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral1/memory/1928-73-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral1/memory/1928-75-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral1/memory/1928-77-0x0000000000400000-0x00000000004BA000-memory.dmp upx -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1340930862-1405011213-2821322012-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.com" ôîòî íîæ.com -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1640 ôîòî íîæ.com Token: SeSecurityPrivilege 1640 ôîòî íîæ.com Token: SeTakeOwnershipPrivilege 1640 ôîòî íîæ.com Token: SeLoadDriverPrivilege 1640 ôîòî íîæ.com Token: SeSystemProfilePrivilege 1640 ôîòî íîæ.com Token: SeSystemtimePrivilege 1640 ôîòî íîæ.com Token: SeProfSingleProcessPrivilege 1640 ôîòî íîæ.com Token: SeIncBasePriorityPrivilege 1640 ôîòî íîæ.com Token: SeCreatePagefilePrivilege 1640 ôîòî íîæ.com Token: SeBackupPrivilege 1640 ôîòî íîæ.com Token: SeRestorePrivilege 1640 ôîòî íîæ.com Token: SeShutdownPrivilege 1640 ôîòî íîæ.com Token: SeDebugPrivilege 1640 ôîòî íîæ.com Token: SeSystemEnvironmentPrivilege 1640 ôîòî íîæ.com Token: SeChangeNotifyPrivilege 1640 ôîòî íîæ.com Token: SeRemoteShutdownPrivilege 1640 ôîòî íîæ.com Token: SeUndockPrivilege 1640 ôîòî íîæ.com Token: SeManageVolumePrivilege 1640 ôîòî íîæ.com Token: SeImpersonatePrivilege 1640 ôîòî íîæ.com Token: SeCreateGlobalPrivilege 1640 ôîòî íîæ.com Token: 33 1640 ôîòî íîæ.com Token: 34 1640 ôîòî íîæ.com Token: 35 1640 ôîòî íîæ.com Token: SeIncreaseQuotaPrivilege 1928 msdcsc.com Token: SeSecurityPrivilege 1928 msdcsc.com Token: SeTakeOwnershipPrivilege 1928 msdcsc.com Token: SeLoadDriverPrivilege 1928 msdcsc.com Token: SeSystemProfilePrivilege 1928 msdcsc.com Token: SeSystemtimePrivilege 1928 msdcsc.com Token: SeProfSingleProcessPrivilege 1928 msdcsc.com Token: SeIncBasePriorityPrivilege 1928 msdcsc.com Token: SeCreatePagefilePrivilege 1928 msdcsc.com Token: SeBackupPrivilege 1928 msdcsc.com Token: SeRestorePrivilege 1928 msdcsc.com Token: SeShutdownPrivilege 1928 msdcsc.com Token: SeDebugPrivilege 1928 msdcsc.com Token: SeSystemEnvironmentPrivilege 1928 msdcsc.com Token: SeChangeNotifyPrivilege 1928 msdcsc.com Token: SeRemoteShutdownPrivilege 1928 msdcsc.com Token: SeUndockPrivilege 1928 msdcsc.com Token: SeManageVolumePrivilege 1928 msdcsc.com Token: SeImpersonatePrivilege 1928 msdcsc.com Token: SeCreateGlobalPrivilege 1928 msdcsc.com Token: 33 1928 msdcsc.com Token: 34 1928 msdcsc.com Token: 35 1928 msdcsc.com -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1928 msdcsc.com -
Suspicious use of WriteProcessMemory 47 IoCs
description pid Process procid_target PID 1936 wrote to memory of 1640 1936 a740572c4f3f7536b4ecb865b442efff_JaffaCakes118.exe 28 PID 1936 wrote to memory of 1640 1936 a740572c4f3f7536b4ecb865b442efff_JaffaCakes118.exe 28 PID 1936 wrote to memory of 1640 1936 a740572c4f3f7536b4ecb865b442efff_JaffaCakes118.exe 28 PID 1936 wrote to memory of 1640 1936 a740572c4f3f7536b4ecb865b442efff_JaffaCakes118.exe 28 PID 1640 wrote to memory of 1624 1640 ôîòî íîæ.com 29 PID 1640 wrote to memory of 1624 1640 ôîòî íîæ.com 29 PID 1640 wrote to memory of 1624 1640 ôîòî íîæ.com 29 PID 1640 wrote to memory of 1624 1640 ôîòî íîæ.com 29 PID 1640 wrote to memory of 2356 1640 ôîòî íîæ.com 31 PID 1640 wrote to memory of 2356 1640 ôîòî íîæ.com 31 PID 1640 wrote to memory of 2356 1640 ôîòî íîæ.com 31 PID 1640 wrote to memory of 2356 1640 ôîòî íîæ.com 31 PID 1624 wrote to memory of 3012 1624 cmd.exe 33 PID 1624 wrote to memory of 3012 1624 cmd.exe 33 PID 1624 wrote to memory of 3012 1624 cmd.exe 33 PID 1624 wrote to memory of 3012 1624 cmd.exe 33 PID 1640 wrote to memory of 1928 1640 ôîòî íîæ.com 34 PID 1640 wrote to memory of 1928 1640 ôîòî íîæ.com 34 PID 1640 wrote to memory of 1928 1640 ôîòî íîæ.com 34 PID 1640 wrote to memory of 1928 1640 ôîòî íîæ.com 34 PID 2356 wrote to memory of 2672 2356 cmd.exe 35 PID 2356 wrote to memory of 2672 2356 cmd.exe 35 PID 2356 wrote to memory of 2672 2356 cmd.exe 35 PID 2356 wrote to memory of 2672 2356 cmd.exe 35 PID 1928 wrote to memory of 2612 1928 msdcsc.com 36 PID 1928 wrote to memory of 2612 1928 msdcsc.com 36 PID 1928 wrote to memory of 2612 1928 msdcsc.com 36 PID 1928 wrote to memory of 2612 1928 msdcsc.com 36 PID 1928 wrote to memory of 2612 1928 msdcsc.com 36 PID 1928 wrote to memory of 2612 1928 msdcsc.com 36 PID 1928 wrote to memory of 2612 1928 msdcsc.com 36 PID 1928 wrote to memory of 2612 1928 msdcsc.com 36 PID 1928 wrote to memory of 2612 1928 msdcsc.com 36 PID 1928 wrote to memory of 2612 1928 msdcsc.com 36 PID 1928 wrote to memory of 2612 1928 msdcsc.com 36 PID 1928 wrote to memory of 2612 1928 msdcsc.com 36 PID 1928 wrote to memory of 2612 1928 msdcsc.com 36 PID 1928 wrote to memory of 2612 1928 msdcsc.com 36 PID 1928 wrote to memory of 2612 1928 msdcsc.com 36 PID 1928 wrote to memory of 2612 1928 msdcsc.com 36 PID 1928 wrote to memory of 2612 1928 msdcsc.com 36 PID 1928 wrote to memory of 2612 1928 msdcsc.com 36 PID 1928 wrote to memory of 2612 1928 msdcsc.com 36 PID 1928 wrote to memory of 2612 1928 msdcsc.com 36 PID 1928 wrote to memory of 2612 1928 msdcsc.com 36 PID 1928 wrote to memory of 2612 1928 msdcsc.com 36 PID 1928 wrote to memory of 2612 1928 msdcsc.com 36 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 3012 attrib.exe 2672 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\a740572c4f3f7536b4ecb865b442efff_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\a740572c4f3f7536b4ecb865b442efff_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1936 -
C:\Users\Admin\Desktop\ôîòî íîæ.com"C:\Users\Admin\Desktop\ôîòî íîæ.com"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1640 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\Desktop\ôîòî íîæ.com" +s +h3⤵
- Suspicious use of WriteProcessMemory
PID:1624 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\Desktop\ôîòî íîæ.com" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:3012
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\Desktop" +s +h3⤵
- Suspicious use of WriteProcessMemory
PID:2356 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\Desktop" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2672
-
-
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.com"C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.com"3⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1928 -
C:\Windows\SysWOW64\notepad.exenotepad4⤵PID:2612
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
253KB
MD5624cd8952ea4ffeda2cac7b0fe423e68
SHA12471af0135bebad0fc716ca6bdeb32dcc2a6cbdf
SHA256d386d8151807f0ffacd58fc7ea5b5b031e7ebf8a3d4e455c3010ed2251be5142
SHA51267b59e984b0413d00108ab3a2d5beb5242518a8eb90a44fb5f9eecbbe58011f511f84ac0ba54067b8cb2a9d0c480eb4f0c7e27b8b4ce0044ea0df6ebf559a95d