Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
26-06-2024 20:58
Static task
static1
Behavioral task
behavioral1
Sample
136d9001b11fba77ae168bf0f09a7ee5_JaffaCakes118.exe
Resource
win7-20240419-en
General
-
Target
136d9001b11fba77ae168bf0f09a7ee5_JaffaCakes118.exe
-
Size
1.9MB
-
MD5
136d9001b11fba77ae168bf0f09a7ee5
-
SHA1
b628cc11be2ecb992163a3ab335c0a4e31d2d573
-
SHA256
f997497b76f240159e28d44b943a40e0ea27b6c4d7b2cdb6dc769d65bbb92544
-
SHA512
80ba416964e3402a280b4b9dbe9e4abbfab49f029451dd4f5c1ec80a8cad8cae1438d366436168b6912492fda0108cf28d1ca16fd80d46029aef0c97a47008e3
-
SSDEEP
24576:GE0fHw0TS/Tlr+robnykC36QNOhh0/svqus32tt4Onwp8aJRdoUepoLJlPK5Hyep:GE0fQ0TSLV+LSaOI/4FwpRpyHYm+2ah
Malware Config
Extracted
darkcomet
Finally
tast.no-ip.biz:82
DC_MUTEX-98S0K24
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
j6R1c8a9GWJZ
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" vbc.exe -
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
136d9001b11fba77ae168bf0f09a7ee5_JaffaCakes118.exevbc.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation 136d9001b11fba77ae168bf0f09a7ee5_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation vbc.exe -
Executes dropped EXE 5 IoCs
Processes:
Hacker reporter.exevbc.exeBanner.exemsdcsc.exevbc.exepid process 4140 Hacker reporter.exe 4328 vbc.exe 3028 Banner.exe 4664 msdcsc.exe 1472 vbc.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
vbc.exevbc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" vbc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" vbc.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
Hacker reporter.exemsdcsc.exedescription pid process target process PID 4140 set thread context of 4328 4140 Hacker reporter.exe vbc.exe PID 4664 set thread context of 1472 4664 msdcsc.exe vbc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
vbc.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vbc.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
vbc.exevbc.exedescription pid process Token: SeIncreaseQuotaPrivilege 4328 vbc.exe Token: SeSecurityPrivilege 4328 vbc.exe Token: SeTakeOwnershipPrivilege 4328 vbc.exe Token: SeLoadDriverPrivilege 4328 vbc.exe Token: SeSystemProfilePrivilege 4328 vbc.exe Token: SeSystemtimePrivilege 4328 vbc.exe Token: SeProfSingleProcessPrivilege 4328 vbc.exe Token: SeIncBasePriorityPrivilege 4328 vbc.exe Token: SeCreatePagefilePrivilege 4328 vbc.exe Token: SeBackupPrivilege 4328 vbc.exe Token: SeRestorePrivilege 4328 vbc.exe Token: SeShutdownPrivilege 4328 vbc.exe Token: SeDebugPrivilege 4328 vbc.exe Token: SeSystemEnvironmentPrivilege 4328 vbc.exe Token: SeChangeNotifyPrivilege 4328 vbc.exe Token: SeRemoteShutdownPrivilege 4328 vbc.exe Token: SeUndockPrivilege 4328 vbc.exe Token: SeManageVolumePrivilege 4328 vbc.exe Token: SeImpersonatePrivilege 4328 vbc.exe Token: SeCreateGlobalPrivilege 4328 vbc.exe Token: 33 4328 vbc.exe Token: 34 4328 vbc.exe Token: 35 4328 vbc.exe Token: 36 4328 vbc.exe Token: SeIncreaseQuotaPrivilege 1472 vbc.exe Token: SeSecurityPrivilege 1472 vbc.exe Token: SeTakeOwnershipPrivilege 1472 vbc.exe Token: SeLoadDriverPrivilege 1472 vbc.exe Token: SeSystemProfilePrivilege 1472 vbc.exe Token: SeSystemtimePrivilege 1472 vbc.exe Token: SeProfSingleProcessPrivilege 1472 vbc.exe Token: SeIncBasePriorityPrivilege 1472 vbc.exe Token: SeCreatePagefilePrivilege 1472 vbc.exe Token: SeBackupPrivilege 1472 vbc.exe Token: SeRestorePrivilege 1472 vbc.exe Token: SeShutdownPrivilege 1472 vbc.exe Token: SeDebugPrivilege 1472 vbc.exe Token: SeSystemEnvironmentPrivilege 1472 vbc.exe Token: SeChangeNotifyPrivilege 1472 vbc.exe Token: SeRemoteShutdownPrivilege 1472 vbc.exe Token: SeUndockPrivilege 1472 vbc.exe Token: SeManageVolumePrivilege 1472 vbc.exe Token: SeImpersonatePrivilege 1472 vbc.exe Token: SeCreateGlobalPrivilege 1472 vbc.exe Token: 33 1472 vbc.exe Token: 34 1472 vbc.exe Token: 35 1472 vbc.exe Token: 36 1472 vbc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
vbc.exepid process 1472 vbc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
136d9001b11fba77ae168bf0f09a7ee5_JaffaCakes118.exeHacker reporter.exevbc.execmd.exemsdcsc.exedescription pid process target process PID 4532 wrote to memory of 4140 4532 136d9001b11fba77ae168bf0f09a7ee5_JaffaCakes118.exe Hacker reporter.exe PID 4532 wrote to memory of 4140 4532 136d9001b11fba77ae168bf0f09a7ee5_JaffaCakes118.exe Hacker reporter.exe PID 4532 wrote to memory of 4140 4532 136d9001b11fba77ae168bf0f09a7ee5_JaffaCakes118.exe Hacker reporter.exe PID 4140 wrote to memory of 4328 4140 Hacker reporter.exe vbc.exe PID 4140 wrote to memory of 4328 4140 Hacker reporter.exe vbc.exe PID 4140 wrote to memory of 4328 4140 Hacker reporter.exe vbc.exe PID 4140 wrote to memory of 4328 4140 Hacker reporter.exe vbc.exe PID 4140 wrote to memory of 4328 4140 Hacker reporter.exe vbc.exe PID 4140 wrote to memory of 4328 4140 Hacker reporter.exe vbc.exe PID 4140 wrote to memory of 4328 4140 Hacker reporter.exe vbc.exe PID 4140 wrote to memory of 4328 4140 Hacker reporter.exe vbc.exe PID 4140 wrote to memory of 4328 4140 Hacker reporter.exe vbc.exe PID 4140 wrote to memory of 4328 4140 Hacker reporter.exe vbc.exe PID 4140 wrote to memory of 4328 4140 Hacker reporter.exe vbc.exe PID 4140 wrote to memory of 4328 4140 Hacker reporter.exe vbc.exe PID 4140 wrote to memory of 4328 4140 Hacker reporter.exe vbc.exe PID 4140 wrote to memory of 4328 4140 Hacker reporter.exe vbc.exe PID 4140 wrote to memory of 4328 4140 Hacker reporter.exe vbc.exe PID 4140 wrote to memory of 4328 4140 Hacker reporter.exe vbc.exe PID 4328 wrote to memory of 760 4328 vbc.exe cmd.exe PID 4328 wrote to memory of 760 4328 vbc.exe cmd.exe PID 4328 wrote to memory of 760 4328 vbc.exe cmd.exe PID 4328 wrote to memory of 4048 4328 vbc.exe notepad.exe PID 4328 wrote to memory of 4048 4328 vbc.exe notepad.exe PID 4328 wrote to memory of 4048 4328 vbc.exe notepad.exe PID 4328 wrote to memory of 4048 4328 vbc.exe notepad.exe PID 4328 wrote to memory of 4048 4328 vbc.exe notepad.exe PID 4328 wrote to memory of 4048 4328 vbc.exe notepad.exe PID 4328 wrote to memory of 4048 4328 vbc.exe notepad.exe PID 4328 wrote to memory of 4048 4328 vbc.exe notepad.exe PID 4328 wrote to memory of 4048 4328 vbc.exe notepad.exe PID 4328 wrote to memory of 4048 4328 vbc.exe notepad.exe PID 4328 wrote to memory of 4048 4328 vbc.exe notepad.exe PID 4328 wrote to memory of 4048 4328 vbc.exe notepad.exe PID 4328 wrote to memory of 4048 4328 vbc.exe notepad.exe PID 4328 wrote to memory of 4048 4328 vbc.exe notepad.exe PID 4328 wrote to memory of 4048 4328 vbc.exe notepad.exe PID 4328 wrote to memory of 4048 4328 vbc.exe notepad.exe PID 4328 wrote to memory of 4048 4328 vbc.exe notepad.exe PID 760 wrote to memory of 4756 760 cmd.exe attrib.exe PID 760 wrote to memory of 4756 760 cmd.exe attrib.exe PID 760 wrote to memory of 4756 760 cmd.exe attrib.exe PID 4532 wrote to memory of 3028 4532 136d9001b11fba77ae168bf0f09a7ee5_JaffaCakes118.exe Banner.exe PID 4532 wrote to memory of 3028 4532 136d9001b11fba77ae168bf0f09a7ee5_JaffaCakes118.exe Banner.exe PID 4532 wrote to memory of 3028 4532 136d9001b11fba77ae168bf0f09a7ee5_JaffaCakes118.exe Banner.exe PID 4328 wrote to memory of 4664 4328 vbc.exe msdcsc.exe PID 4328 wrote to memory of 4664 4328 vbc.exe msdcsc.exe PID 4328 wrote to memory of 4664 4328 vbc.exe msdcsc.exe PID 4664 wrote to memory of 1472 4664 msdcsc.exe vbc.exe PID 4664 wrote to memory of 1472 4664 msdcsc.exe vbc.exe PID 4664 wrote to memory of 1472 4664 msdcsc.exe vbc.exe PID 4664 wrote to memory of 1472 4664 msdcsc.exe vbc.exe PID 4664 wrote to memory of 1472 4664 msdcsc.exe vbc.exe PID 4664 wrote to memory of 1472 4664 msdcsc.exe vbc.exe PID 4664 wrote to memory of 1472 4664 msdcsc.exe vbc.exe PID 4664 wrote to memory of 1472 4664 msdcsc.exe vbc.exe PID 4664 wrote to memory of 1472 4664 msdcsc.exe vbc.exe PID 4664 wrote to memory of 1472 4664 msdcsc.exe vbc.exe PID 4664 wrote to memory of 1472 4664 msdcsc.exe vbc.exe PID 4664 wrote to memory of 1472 4664 msdcsc.exe vbc.exe PID 4664 wrote to memory of 1472 4664 msdcsc.exe vbc.exe PID 4664 wrote to memory of 1472 4664 msdcsc.exe vbc.exe PID 4664 wrote to memory of 1472 4664 msdcsc.exe vbc.exe PID 4664 wrote to memory of 1472 4664 msdcsc.exe vbc.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\136d9001b11fba77ae168bf0f09a7ee5_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\136d9001b11fba77ae168bf0f09a7ee5_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:4532 -
C:\Users\Admin\AppData\Local\Temp\Hacker reporter.exe"C:\Users\Admin\AppData\Local\Temp\Hacker reporter.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4140 -
C:\Users\Admin\AppData\Local\Temp\vbc.exeC:\Users\Admin\AppData\Local\Temp\vbc.exe3⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4328 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\Hacker reporter.exe" +s +h4⤵
- Suspicious use of WriteProcessMemory
PID:760 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\Hacker reporter.exe" +s +h5⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4756 -
C:\Windows\SysWOW64\notepad.exenotepad4⤵PID:4048
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"4⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:4664 -
C:\Users\Admin\AppData\Local\Temp\vbc.exeC:\Users\Admin\AppData\Local\Temp\vbc.exe5⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:1472 -
C:\Windows\SysWOW64\notepad.exenotepad6⤵PID:2672
-
C:\Users\Admin\AppData\Local\Temp\Banner.exe"C:\Users\Admin\AppData\Local\Temp\Banner.exe"2⤵
- Executes dropped EXE
PID:3028
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
18KB
MD5463efc38869e2e4e315906d22b5e6d78
SHA101535b4ccc407affb680ac66258658c4911fb8c2
SHA2564958b9f95e341ad6dcae3024013b3fcf5c5daabd3ff76a2762d731aacec752ba
SHA5120be72a9e9d9bdc794e60ffd0046483374f461b32651005b95a3f1df0a8072c7e49205c3abfd6227b85b23c9261235041f7d529f41636d674105e5ee6b1a9f03b
-
Filesize
1.4MB
MD5f3e67997c30576c80336de144362bb05
SHA13170b8ad87dc730c40d6c425869afe0a13b0e610
SHA2561b7fe710b229b4b11a7fce71d190454b4dc259e54ea38f23eb2f6f8dcbe3f618
SHA512d8cb6e6836626c558f6fd5ff8f92926d348950a11bb9cb9e21bb563bbd962aa51312e9297052ae60a7a9b0e015a45597ec42f5de76354bba6f74480744b92666
-
Filesize
1.1MB
MD5d881de17aa8f2e2c08cbb7b265f928f9
SHA108936aebc87decf0af6e8eada191062b5e65ac2a
SHA256b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0
SHA5125f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34