Analysis
-
max time kernel
147s -
max time network
148s -
platform
windows10-2004_x64 -
resource
win10v2004-20240508-en -
resource tags
arch:x64arch:x86image:win10v2004-20240508-enlocale:en-usos:windows10-2004-x64system -
submitted
26-06-2024 21:38
Static task
static1
Behavioral task
behavioral1
Sample
138d1fd5cbb648b4251a36a9fe914418_JaffaCakes118.exe
Resource
win7-20240611-en
General
-
Target
138d1fd5cbb648b4251a36a9fe914418_JaffaCakes118.exe
-
Size
1.4MB
-
MD5
138d1fd5cbb648b4251a36a9fe914418
-
SHA1
5bb69997672961ecb1f2d3d9246dab4fe5da3335
-
SHA256
02dc555089d53f749b087fd2c724c41aa7dc6482e104730825478436719e5c9f
-
SHA512
aea0252bda29b0f17187b11e09abd84556bb432d43c9844e0f16a88e06005a9716b42b9af4be1a1f06c0317411f94511d2cbc2ac740d15b0a42e57e1139f6ed7
-
SSDEEP
24576:Ayv3DbMr6mQs6BZudnJaCDviIEDBBJYDWcSO:5ErsIGa
Malware Config
Extracted
darkcomet
Zombie
anonymous-hr.zapto.org:5150
127.0.0.1:5150
DC_MUTEX-JQ36SHX
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
u6ESlyfFKfg6
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" server.exe -
Modifies security service 2 TTPs 2 IoCs
Processes:
msdcsc.exeiexplore.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" iexplore.exe -
Processes:
msdcsc.exeiexplore.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" iexplore.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
138d1fd5cbb648b4251a36a9fe914418_JaffaCakes118.exeTravian Hack.exeserver.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation 138d1fd5cbb648b4251a36a9fe914418_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation Travian Hack.exe Key value queried \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\Control Panel\International\Geo\Nation server.exe -
Executes dropped EXE 3 IoCs
Processes:
Travian Hack.exeserver.exemsdcsc.exepid process 228 Travian Hack.exe 764 server.exe 3092 msdcsc.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
server.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1337824034-2731376981-3755436523-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" server.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
msdcsc.exedescription pid process target process PID 3092 set thread context of 3420 3092 msdcsc.exe iexplore.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
138d1fd5cbb648b4251a36a9fe914418_JaffaCakes118.exeTravian Hack.exeserver.exemsdcsc.exeiexplore.exedescription pid process Token: SeDebugPrivilege 956 138d1fd5cbb648b4251a36a9fe914418_JaffaCakes118.exe Token: SeDebugPrivilege 228 Travian Hack.exe Token: SeIncreaseQuotaPrivilege 764 server.exe Token: SeSecurityPrivilege 764 server.exe Token: SeTakeOwnershipPrivilege 764 server.exe Token: SeLoadDriverPrivilege 764 server.exe Token: SeSystemProfilePrivilege 764 server.exe Token: SeSystemtimePrivilege 764 server.exe Token: SeProfSingleProcessPrivilege 764 server.exe Token: SeIncBasePriorityPrivilege 764 server.exe Token: SeCreatePagefilePrivilege 764 server.exe Token: SeBackupPrivilege 764 server.exe Token: SeRestorePrivilege 764 server.exe Token: SeShutdownPrivilege 764 server.exe Token: SeDebugPrivilege 764 server.exe Token: SeSystemEnvironmentPrivilege 764 server.exe Token: SeChangeNotifyPrivilege 764 server.exe Token: SeRemoteShutdownPrivilege 764 server.exe Token: SeUndockPrivilege 764 server.exe Token: SeManageVolumePrivilege 764 server.exe Token: SeImpersonatePrivilege 764 server.exe Token: SeCreateGlobalPrivilege 764 server.exe Token: 33 764 server.exe Token: 34 764 server.exe Token: 35 764 server.exe Token: 36 764 server.exe Token: SeIncreaseQuotaPrivilege 3092 msdcsc.exe Token: SeSecurityPrivilege 3092 msdcsc.exe Token: SeTakeOwnershipPrivilege 3092 msdcsc.exe Token: SeLoadDriverPrivilege 3092 msdcsc.exe Token: SeSystemProfilePrivilege 3092 msdcsc.exe Token: SeSystemtimePrivilege 3092 msdcsc.exe Token: SeProfSingleProcessPrivilege 3092 msdcsc.exe Token: SeIncBasePriorityPrivilege 3092 msdcsc.exe Token: SeCreatePagefilePrivilege 3092 msdcsc.exe Token: SeBackupPrivilege 3092 msdcsc.exe Token: SeRestorePrivilege 3092 msdcsc.exe Token: SeShutdownPrivilege 3092 msdcsc.exe Token: SeDebugPrivilege 3092 msdcsc.exe Token: SeSystemEnvironmentPrivilege 3092 msdcsc.exe Token: SeChangeNotifyPrivilege 3092 msdcsc.exe Token: SeRemoteShutdownPrivilege 3092 msdcsc.exe Token: SeUndockPrivilege 3092 msdcsc.exe Token: SeManageVolumePrivilege 3092 msdcsc.exe Token: SeImpersonatePrivilege 3092 msdcsc.exe Token: SeCreateGlobalPrivilege 3092 msdcsc.exe Token: 33 3092 msdcsc.exe Token: 34 3092 msdcsc.exe Token: 35 3092 msdcsc.exe Token: 36 3092 msdcsc.exe Token: SeIncreaseQuotaPrivilege 3420 iexplore.exe Token: SeSecurityPrivilege 3420 iexplore.exe Token: SeTakeOwnershipPrivilege 3420 iexplore.exe Token: SeLoadDriverPrivilege 3420 iexplore.exe Token: SeSystemProfilePrivilege 3420 iexplore.exe Token: SeSystemtimePrivilege 3420 iexplore.exe Token: SeProfSingleProcessPrivilege 3420 iexplore.exe Token: SeIncBasePriorityPrivilege 3420 iexplore.exe Token: SeCreatePagefilePrivilege 3420 iexplore.exe Token: SeBackupPrivilege 3420 iexplore.exe Token: SeRestorePrivilege 3420 iexplore.exe Token: SeShutdownPrivilege 3420 iexplore.exe Token: SeDebugPrivilege 3420 iexplore.exe Token: SeSystemEnvironmentPrivilege 3420 iexplore.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
iexplore.exepid process 3420 iexplore.exe -
Suspicious use of WriteProcessMemory 13 IoCs
Processes:
138d1fd5cbb648b4251a36a9fe914418_JaffaCakes118.exeTravian Hack.exeserver.exemsdcsc.exedescription pid process target process PID 956 wrote to memory of 228 956 138d1fd5cbb648b4251a36a9fe914418_JaffaCakes118.exe Travian Hack.exe PID 956 wrote to memory of 228 956 138d1fd5cbb648b4251a36a9fe914418_JaffaCakes118.exe Travian Hack.exe PID 228 wrote to memory of 764 228 Travian Hack.exe server.exe PID 228 wrote to memory of 764 228 Travian Hack.exe server.exe PID 228 wrote to memory of 764 228 Travian Hack.exe server.exe PID 764 wrote to memory of 3092 764 server.exe msdcsc.exe PID 764 wrote to memory of 3092 764 server.exe msdcsc.exe PID 764 wrote to memory of 3092 764 server.exe msdcsc.exe PID 3092 wrote to memory of 3420 3092 msdcsc.exe iexplore.exe PID 3092 wrote to memory of 3420 3092 msdcsc.exe iexplore.exe PID 3092 wrote to memory of 3420 3092 msdcsc.exe iexplore.exe PID 3092 wrote to memory of 3420 3092 msdcsc.exe iexplore.exe PID 3092 wrote to memory of 3420 3092 msdcsc.exe iexplore.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\138d1fd5cbb648b4251a36a9fe914418_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\138d1fd5cbb648b4251a36a9fe914418_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Users\Admin\AppData\Local\Temp\Travian Hack.exe"C:\Users\Admin\AppData\Local\Temp\Travian Hack.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:228 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"3⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:764 -
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"4⤵
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3092 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"5⤵
- Modifies security service
- Windows security bypass
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3420
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.0MB
MD5a2d562adc906b7c0351551af1317e402
SHA179b87f5e3b0312fc6f205c06f1385a633bd6ac79
SHA256c80ee55191716d24bb89c0daf55a196b2b9f73421b03935510bd037e4432fc94
SHA512f77f476663f0b24d3195cc23566a18cb2a59bc143ad6f631f1980f9101575562c75e09b4a4922864d03dc3fad845decf7aab712010ab4826d4dbc4b23dc9de1a
-
Filesize
681KB
MD5135c52171999304022023d032e8f4064
SHA1ec69532dec170bb90fa5f87bdfd0a4c57a6582df
SHA256e51aeb463290ade3ee17c1c4203767d7154579187a163d5587a09277f8fd5dfe
SHA512c0af921cc29ab60496d4356a7cb1205c2be43ae13ebf745de8520e4a863ca7d280d03b15793890449fe555960c9ca32c2b45a8740e02d709278f676a2e3ba457