Analysis
-
max time kernel
138s -
max time network
148s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
26-06-2024 21:38
Static task
static1
Behavioral task
behavioral1
Sample
138d1fd5cbb648b4251a36a9fe914418_JaffaCakes118.exe
Resource
win7-20240611-en
General
-
Target
138d1fd5cbb648b4251a36a9fe914418_JaffaCakes118.exe
-
Size
1.4MB
-
MD5
138d1fd5cbb648b4251a36a9fe914418
-
SHA1
5bb69997672961ecb1f2d3d9246dab4fe5da3335
-
SHA256
02dc555089d53f749b087fd2c724c41aa7dc6482e104730825478436719e5c9f
-
SHA512
aea0252bda29b0f17187b11e09abd84556bb432d43c9844e0f16a88e06005a9716b42b9af4be1a1f06c0317411f94511d2cbc2ac740d15b0a42e57e1139f6ed7
-
SSDEEP
24576:Ayv3DbMr6mQs6BZudnJaCDviIEDBBJYDWcSO:5ErsIGa
Malware Config
Extracted
darkcomet
Zombie
anonymous-hr.zapto.org:5150
127.0.0.1:5150
DC_MUTEX-JQ36SHX
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
u6ESlyfFKfg6
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" server.exe -
Modifies security service 2 TTPs 2 IoCs
Processes:
msdcsc.exeiexplore.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" iexplore.exe -
Processes:
iexplore.exemsdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe -
Executes dropped EXE 3 IoCs
Processes:
Travian Hack.exeserver.exemsdcsc.exepid process 2892 Travian Hack.exe 2792 server.exe 2696 msdcsc.exe -
Loads dropped DLL 2 IoCs
Processes:
server.exepid process 2792 server.exe 2792 server.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" server.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
msdcsc.exedescription pid process target process PID 2696 set thread context of 2572 2696 msdcsc.exe iexplore.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
138d1fd5cbb648b4251a36a9fe914418_JaffaCakes118.exeTravian Hack.exeserver.exemsdcsc.exeiexplore.exedescription pid process Token: SeDebugPrivilege 1656 138d1fd5cbb648b4251a36a9fe914418_JaffaCakes118.exe Token: SeDebugPrivilege 2892 Travian Hack.exe Token: SeIncreaseQuotaPrivilege 2792 server.exe Token: SeSecurityPrivilege 2792 server.exe Token: SeTakeOwnershipPrivilege 2792 server.exe Token: SeLoadDriverPrivilege 2792 server.exe Token: SeSystemProfilePrivilege 2792 server.exe Token: SeSystemtimePrivilege 2792 server.exe Token: SeProfSingleProcessPrivilege 2792 server.exe Token: SeIncBasePriorityPrivilege 2792 server.exe Token: SeCreatePagefilePrivilege 2792 server.exe Token: SeBackupPrivilege 2792 server.exe Token: SeRestorePrivilege 2792 server.exe Token: SeShutdownPrivilege 2792 server.exe Token: SeDebugPrivilege 2792 server.exe Token: SeSystemEnvironmentPrivilege 2792 server.exe Token: SeChangeNotifyPrivilege 2792 server.exe Token: SeRemoteShutdownPrivilege 2792 server.exe Token: SeUndockPrivilege 2792 server.exe Token: SeManageVolumePrivilege 2792 server.exe Token: SeImpersonatePrivilege 2792 server.exe Token: SeCreateGlobalPrivilege 2792 server.exe Token: 33 2792 server.exe Token: 34 2792 server.exe Token: 35 2792 server.exe Token: SeIncreaseQuotaPrivilege 2696 msdcsc.exe Token: SeSecurityPrivilege 2696 msdcsc.exe Token: SeTakeOwnershipPrivilege 2696 msdcsc.exe Token: SeLoadDriverPrivilege 2696 msdcsc.exe Token: SeSystemProfilePrivilege 2696 msdcsc.exe Token: SeSystemtimePrivilege 2696 msdcsc.exe Token: SeProfSingleProcessPrivilege 2696 msdcsc.exe Token: SeIncBasePriorityPrivilege 2696 msdcsc.exe Token: SeCreatePagefilePrivilege 2696 msdcsc.exe Token: SeBackupPrivilege 2696 msdcsc.exe Token: SeRestorePrivilege 2696 msdcsc.exe Token: SeShutdownPrivilege 2696 msdcsc.exe Token: SeDebugPrivilege 2696 msdcsc.exe Token: SeSystemEnvironmentPrivilege 2696 msdcsc.exe Token: SeChangeNotifyPrivilege 2696 msdcsc.exe Token: SeRemoteShutdownPrivilege 2696 msdcsc.exe Token: SeUndockPrivilege 2696 msdcsc.exe Token: SeManageVolumePrivilege 2696 msdcsc.exe Token: SeImpersonatePrivilege 2696 msdcsc.exe Token: SeCreateGlobalPrivilege 2696 msdcsc.exe Token: 33 2696 msdcsc.exe Token: 34 2696 msdcsc.exe Token: 35 2696 msdcsc.exe Token: SeIncreaseQuotaPrivilege 2572 iexplore.exe Token: SeSecurityPrivilege 2572 iexplore.exe Token: SeTakeOwnershipPrivilege 2572 iexplore.exe Token: SeLoadDriverPrivilege 2572 iexplore.exe Token: SeSystemProfilePrivilege 2572 iexplore.exe Token: SeSystemtimePrivilege 2572 iexplore.exe Token: SeProfSingleProcessPrivilege 2572 iexplore.exe Token: SeIncBasePriorityPrivilege 2572 iexplore.exe Token: SeCreatePagefilePrivilege 2572 iexplore.exe Token: SeBackupPrivilege 2572 iexplore.exe Token: SeRestorePrivilege 2572 iexplore.exe Token: SeShutdownPrivilege 2572 iexplore.exe Token: SeDebugPrivilege 2572 iexplore.exe Token: SeSystemEnvironmentPrivilege 2572 iexplore.exe Token: SeChangeNotifyPrivilege 2572 iexplore.exe Token: SeRemoteShutdownPrivilege 2572 iexplore.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
iexplore.exepid process 2572 iexplore.exe -
Suspicious use of WriteProcessMemory 17 IoCs
Processes:
138d1fd5cbb648b4251a36a9fe914418_JaffaCakes118.exeTravian Hack.exeserver.exemsdcsc.exedescription pid process target process PID 1656 wrote to memory of 2892 1656 138d1fd5cbb648b4251a36a9fe914418_JaffaCakes118.exe Travian Hack.exe PID 1656 wrote to memory of 2892 1656 138d1fd5cbb648b4251a36a9fe914418_JaffaCakes118.exe Travian Hack.exe PID 1656 wrote to memory of 2892 1656 138d1fd5cbb648b4251a36a9fe914418_JaffaCakes118.exe Travian Hack.exe PID 2892 wrote to memory of 2792 2892 Travian Hack.exe server.exe PID 2892 wrote to memory of 2792 2892 Travian Hack.exe server.exe PID 2892 wrote to memory of 2792 2892 Travian Hack.exe server.exe PID 2892 wrote to memory of 2792 2892 Travian Hack.exe server.exe PID 2792 wrote to memory of 2696 2792 server.exe msdcsc.exe PID 2792 wrote to memory of 2696 2792 server.exe msdcsc.exe PID 2792 wrote to memory of 2696 2792 server.exe msdcsc.exe PID 2792 wrote to memory of 2696 2792 server.exe msdcsc.exe PID 2696 wrote to memory of 2572 2696 msdcsc.exe iexplore.exe PID 2696 wrote to memory of 2572 2696 msdcsc.exe iexplore.exe PID 2696 wrote to memory of 2572 2696 msdcsc.exe iexplore.exe PID 2696 wrote to memory of 2572 2696 msdcsc.exe iexplore.exe PID 2696 wrote to memory of 2572 2696 msdcsc.exe iexplore.exe PID 2696 wrote to memory of 2572 2696 msdcsc.exe iexplore.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\138d1fd5cbb648b4251a36a9fe914418_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\138d1fd5cbb648b4251a36a9fe914418_JaffaCakes118.exe"1⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1656 -
C:\Users\Admin\AppData\Local\Temp\Travian Hack.exe"C:\Users\Admin\AppData\Local\Temp\Travian Hack.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2892 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2792 -
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"4⤵
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2696 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"5⤵
- Modifies security service
- Windows security bypass
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2572
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD5a2d562adc906b7c0351551af1317e402
SHA179b87f5e3b0312fc6f205c06f1385a633bd6ac79
SHA256c80ee55191716d24bb89c0daf55a196b2b9f73421b03935510bd037e4432fc94
SHA512f77f476663f0b24d3195cc23566a18cb2a59bc143ad6f631f1980f9101575562c75e09b4a4922864d03dc3fad845decf7aab712010ab4826d4dbc4b23dc9de1a
-
Filesize
681KB
MD5135c52171999304022023d032e8f4064
SHA1ec69532dec170bb90fa5f87bdfd0a4c57a6582df
SHA256e51aeb463290ade3ee17c1c4203767d7154579187a163d5587a09277f8fd5dfe
SHA512c0af921cc29ab60496d4356a7cb1205c2be43ae13ebf745de8520e4a863ca7d280d03b15793890449fe555960c9ca32c2b45a8740e02d709278f676a2e3ba457