Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
26-06-2024 20:58
Static task
static1
Behavioral task
behavioral1
Sample
136d9001b11fba77ae168bf0f09a7ee5_JaffaCakes118.exe
Resource
win7-20240419-en
General
-
Target
136d9001b11fba77ae168bf0f09a7ee5_JaffaCakes118.exe
-
Size
1.9MB
-
MD5
136d9001b11fba77ae168bf0f09a7ee5
-
SHA1
b628cc11be2ecb992163a3ab335c0a4e31d2d573
-
SHA256
f997497b76f240159e28d44b943a40e0ea27b6c4d7b2cdb6dc769d65bbb92544
-
SHA512
80ba416964e3402a280b4b9dbe9e4abbfab49f029451dd4f5c1ec80a8cad8cae1438d366436168b6912492fda0108cf28d1ca16fd80d46029aef0c97a47008e3
-
SSDEEP
24576:GE0fHw0TS/Tlr+robnykC36QNOhh0/svqus32tt4Onwp8aJRdoUepoLJlPK5Hyep:GE0fQ0TSLV+LSaOI/4FwpRpyHYm+2ah
Malware Config
Extracted
darkcomet
Finally
tast.no-ip.biz:82
DC_MUTEX-98S0K24
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
j6R1c8a9GWJZ
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" vbc.exe -
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Executes dropped EXE 5 IoCs
Processes:
Hacker reporter.exevbc.exeBanner.exemsdcsc.exevbc.exepid process 2080 Hacker reporter.exe 2744 vbc.exe 2576 Banner.exe 1852 msdcsc.exe 2360 vbc.exe -
Loads dropped DLL 7 IoCs
Processes:
136d9001b11fba77ae168bf0f09a7ee5_JaffaCakes118.exeHacker reporter.exevbc.exemsdcsc.exepid process 3020 136d9001b11fba77ae168bf0f09a7ee5_JaffaCakes118.exe 3020 136d9001b11fba77ae168bf0f09a7ee5_JaffaCakes118.exe 2080 Hacker reporter.exe 3020 136d9001b11fba77ae168bf0f09a7ee5_JaffaCakes118.exe 2744 vbc.exe 2744 vbc.exe 1852 msdcsc.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
vbc.exevbc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" vbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" vbc.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
Hacker reporter.exemsdcsc.exedescription pid process target process PID 2080 set thread context of 2744 2080 Hacker reporter.exe vbc.exe PID 1852 set thread context of 2360 1852 msdcsc.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
vbc.exevbc.exedescription pid process Token: SeIncreaseQuotaPrivilege 2744 vbc.exe Token: SeSecurityPrivilege 2744 vbc.exe Token: SeTakeOwnershipPrivilege 2744 vbc.exe Token: SeLoadDriverPrivilege 2744 vbc.exe Token: SeSystemProfilePrivilege 2744 vbc.exe Token: SeSystemtimePrivilege 2744 vbc.exe Token: SeProfSingleProcessPrivilege 2744 vbc.exe Token: SeIncBasePriorityPrivilege 2744 vbc.exe Token: SeCreatePagefilePrivilege 2744 vbc.exe Token: SeBackupPrivilege 2744 vbc.exe Token: SeRestorePrivilege 2744 vbc.exe Token: SeShutdownPrivilege 2744 vbc.exe Token: SeDebugPrivilege 2744 vbc.exe Token: SeSystemEnvironmentPrivilege 2744 vbc.exe Token: SeChangeNotifyPrivilege 2744 vbc.exe Token: SeRemoteShutdownPrivilege 2744 vbc.exe Token: SeUndockPrivilege 2744 vbc.exe Token: SeManageVolumePrivilege 2744 vbc.exe Token: SeImpersonatePrivilege 2744 vbc.exe Token: SeCreateGlobalPrivilege 2744 vbc.exe Token: 33 2744 vbc.exe Token: 34 2744 vbc.exe Token: 35 2744 vbc.exe Token: SeIncreaseQuotaPrivilege 2360 vbc.exe Token: SeSecurityPrivilege 2360 vbc.exe Token: SeTakeOwnershipPrivilege 2360 vbc.exe Token: SeLoadDriverPrivilege 2360 vbc.exe Token: SeSystemProfilePrivilege 2360 vbc.exe Token: SeSystemtimePrivilege 2360 vbc.exe Token: SeProfSingleProcessPrivilege 2360 vbc.exe Token: SeIncBasePriorityPrivilege 2360 vbc.exe Token: SeCreatePagefilePrivilege 2360 vbc.exe Token: SeBackupPrivilege 2360 vbc.exe Token: SeRestorePrivilege 2360 vbc.exe Token: SeShutdownPrivilege 2360 vbc.exe Token: SeDebugPrivilege 2360 vbc.exe Token: SeSystemEnvironmentPrivilege 2360 vbc.exe Token: SeChangeNotifyPrivilege 2360 vbc.exe Token: SeRemoteShutdownPrivilege 2360 vbc.exe Token: SeUndockPrivilege 2360 vbc.exe Token: SeManageVolumePrivilege 2360 vbc.exe Token: SeImpersonatePrivilege 2360 vbc.exe Token: SeCreateGlobalPrivilege 2360 vbc.exe Token: 33 2360 vbc.exe Token: 34 2360 vbc.exe Token: 35 2360 vbc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
vbc.exepid process 2360 vbc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
136d9001b11fba77ae168bf0f09a7ee5_JaffaCakes118.exeHacker reporter.exevbc.execmd.exemsdcsc.exedescription pid process target process PID 3020 wrote to memory of 2080 3020 136d9001b11fba77ae168bf0f09a7ee5_JaffaCakes118.exe Hacker reporter.exe PID 3020 wrote to memory of 2080 3020 136d9001b11fba77ae168bf0f09a7ee5_JaffaCakes118.exe Hacker reporter.exe PID 3020 wrote to memory of 2080 3020 136d9001b11fba77ae168bf0f09a7ee5_JaffaCakes118.exe Hacker reporter.exe PID 3020 wrote to memory of 2080 3020 136d9001b11fba77ae168bf0f09a7ee5_JaffaCakes118.exe Hacker reporter.exe PID 2080 wrote to memory of 2744 2080 Hacker reporter.exe vbc.exe PID 2080 wrote to memory of 2744 2080 Hacker reporter.exe vbc.exe PID 2080 wrote to memory of 2744 2080 Hacker reporter.exe vbc.exe PID 2080 wrote to memory of 2744 2080 Hacker reporter.exe vbc.exe PID 2080 wrote to memory of 2744 2080 Hacker reporter.exe vbc.exe PID 2080 wrote to memory of 2744 2080 Hacker reporter.exe vbc.exe PID 2080 wrote to memory of 2744 2080 Hacker reporter.exe vbc.exe PID 2080 wrote to memory of 2744 2080 Hacker reporter.exe vbc.exe PID 2080 wrote to memory of 2744 2080 Hacker reporter.exe vbc.exe PID 2080 wrote to memory of 2744 2080 Hacker reporter.exe vbc.exe PID 2080 wrote to memory of 2744 2080 Hacker reporter.exe vbc.exe PID 2080 wrote to memory of 2744 2080 Hacker reporter.exe vbc.exe PID 2080 wrote to memory of 2744 2080 Hacker reporter.exe vbc.exe PID 2080 wrote to memory of 2744 2080 Hacker reporter.exe vbc.exe PID 2080 wrote to memory of 2744 2080 Hacker reporter.exe vbc.exe PID 3020 wrote to memory of 2576 3020 136d9001b11fba77ae168bf0f09a7ee5_JaffaCakes118.exe Banner.exe PID 3020 wrote to memory of 2576 3020 136d9001b11fba77ae168bf0f09a7ee5_JaffaCakes118.exe Banner.exe PID 3020 wrote to memory of 2576 3020 136d9001b11fba77ae168bf0f09a7ee5_JaffaCakes118.exe Banner.exe PID 3020 wrote to memory of 2576 3020 136d9001b11fba77ae168bf0f09a7ee5_JaffaCakes118.exe Banner.exe PID 2744 wrote to memory of 2536 2744 vbc.exe cmd.exe PID 2744 wrote to memory of 2536 2744 vbc.exe cmd.exe PID 2744 wrote to memory of 2536 2744 vbc.exe cmd.exe PID 2744 wrote to memory of 2536 2744 vbc.exe cmd.exe PID 2744 wrote to memory of 1984 2744 vbc.exe notepad.exe PID 2744 wrote to memory of 1984 2744 vbc.exe notepad.exe PID 2744 wrote to memory of 1984 2744 vbc.exe notepad.exe PID 2744 wrote to memory of 1984 2744 vbc.exe notepad.exe PID 2744 wrote to memory of 1984 2744 vbc.exe notepad.exe PID 2744 wrote to memory of 1984 2744 vbc.exe notepad.exe PID 2744 wrote to memory of 1984 2744 vbc.exe notepad.exe PID 2744 wrote to memory of 1984 2744 vbc.exe notepad.exe PID 2744 wrote to memory of 1984 2744 vbc.exe notepad.exe PID 2744 wrote to memory of 1984 2744 vbc.exe notepad.exe PID 2744 wrote to memory of 1984 2744 vbc.exe notepad.exe PID 2744 wrote to memory of 1984 2744 vbc.exe notepad.exe PID 2744 wrote to memory of 1984 2744 vbc.exe notepad.exe PID 2744 wrote to memory of 1984 2744 vbc.exe notepad.exe PID 2744 wrote to memory of 1984 2744 vbc.exe notepad.exe PID 2744 wrote to memory of 1984 2744 vbc.exe notepad.exe PID 2744 wrote to memory of 1984 2744 vbc.exe notepad.exe PID 2744 wrote to memory of 1984 2744 vbc.exe notepad.exe PID 2536 wrote to memory of 1540 2536 cmd.exe attrib.exe PID 2536 wrote to memory of 1540 2536 cmd.exe attrib.exe PID 2536 wrote to memory of 1540 2536 cmd.exe attrib.exe PID 2536 wrote to memory of 1540 2536 cmd.exe attrib.exe PID 2744 wrote to memory of 1852 2744 vbc.exe msdcsc.exe PID 2744 wrote to memory of 1852 2744 vbc.exe msdcsc.exe PID 2744 wrote to memory of 1852 2744 vbc.exe msdcsc.exe PID 2744 wrote to memory of 1852 2744 vbc.exe msdcsc.exe PID 1852 wrote to memory of 2360 1852 msdcsc.exe vbc.exe PID 1852 wrote to memory of 2360 1852 msdcsc.exe vbc.exe PID 1852 wrote to memory of 2360 1852 msdcsc.exe vbc.exe PID 1852 wrote to memory of 2360 1852 msdcsc.exe vbc.exe PID 1852 wrote to memory of 2360 1852 msdcsc.exe vbc.exe PID 1852 wrote to memory of 2360 1852 msdcsc.exe vbc.exe PID 1852 wrote to memory of 2360 1852 msdcsc.exe vbc.exe PID 1852 wrote to memory of 2360 1852 msdcsc.exe vbc.exe PID 1852 wrote to memory of 2360 1852 msdcsc.exe vbc.exe PID 1852 wrote to memory of 2360 1852 msdcsc.exe vbc.exe PID 1852 wrote to memory of 2360 1852 msdcsc.exe vbc.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\136d9001b11fba77ae168bf0f09a7ee5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\136d9001b11fba77ae168bf0f09a7ee5_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:3020 -
C:\Users\Admin\AppData\Local\Temp\Hacker reporter.exe"C:\Users\Admin\AppData\Local\Temp\Hacker reporter.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2080 -
C:\Users\Admin\AppData\Local\Temp\vbc.exeC:\Users\Admin\AppData\Local\Temp\vbc.exe3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2744 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\Hacker reporter.exe" +s +h4⤵
- Suspicious use of WriteProcessMemory
PID:2536 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\Hacker reporter.exe" +s +h5⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1540 -
C:\Windows\SysWOW64\notepad.exenotepad4⤵PID:1984
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"4⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:1852 -
C:\Users\Admin\AppData\Local\Temp\vbc.exeC:\Users\Admin\AppData\Local\Temp\vbc.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2360 -
C:\Windows\SysWOW64\notepad.exenotepad6⤵PID:1428
-
C:\Users\Admin\AppData\Local\Temp\Banner.exe"C:\Users\Admin\AppData\Local\Temp\Banner.exe"2⤵
- Executes dropped EXE
PID:2576
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
18KB
MD5463efc38869e2e4e315906d22b5e6d78
SHA101535b4ccc407affb680ac66258658c4911fb8c2
SHA2564958b9f95e341ad6dcae3024013b3fcf5c5daabd3ff76a2762d731aacec752ba
SHA5120be72a9e9d9bdc794e60ffd0046483374f461b32651005b95a3f1df0a8072c7e49205c3abfd6227b85b23c9261235041f7d529f41636d674105e5ee6b1a9f03b
-
Filesize
1.4MB
MD5f3e67997c30576c80336de144362bb05
SHA13170b8ad87dc730c40d6c425869afe0a13b0e610
SHA2561b7fe710b229b4b11a7fce71d190454b4dc259e54ea38f23eb2f6f8dcbe3f618
SHA512d8cb6e6836626c558f6fd5ff8f92926d348950a11bb9cb9e21bb563bbd962aa51312e9297052ae60a7a9b0e015a45597ec42f5de76354bba6f74480744b92666
-
Filesize
1.1MB
MD534aa912defa18c2c129f1e09d75c1d7e
SHA19c3046324657505a30ecd9b1fdb46c05bde7d470
SHA2566df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386
SHA512d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98