Analysis
-
max time kernel
150s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
27-06-2024 01:33
Static task
static1
Behavioral task
behavioral1
Sample
1435c8d7a0157784e181d48ea5aa24b3_JaffaCakes118.exe
Resource
win7-20240419-en
General
-
Target
1435c8d7a0157784e181d48ea5aa24b3_JaffaCakes118.exe
-
Size
421KB
-
MD5
1435c8d7a0157784e181d48ea5aa24b3
-
SHA1
dfa8c21ef3373153160a29324073fb9e875dc1fe
-
SHA256
d4f6824fcfac08808c07fdc5127abcb1df78cb6ba4fb4689a56413b24ace19d5
-
SHA512
b92579de58cee65f63066c2891c6aa38151d55f81973a3fff8701f0e94aae8fd14fa0fe652c0de48b1040ba2fc46a0999db6f2a1eede803db63f90f6df482b3e
-
SSDEEP
12288:HVr5qkjoiEzoU4qjGiybs1df5WNm3C/OpRh+6cn:1ckUpUU4q3gs1dfAmoOfh+6cn
Malware Config
Extracted
darkcomet
ãÓßíä
aniss1.no-ip.biz:81
DC_MUTEX-SCE46ML
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
CQl4sBMa8TLp
-
install
true
-
offline_keylogger
true
-
password
123
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
1435c8d7a0157784e181d48ea5aa24b3_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 1435c8d7a0157784e181d48ea5aa24b3_JaffaCakes118.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
msdcsc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" msdcsc.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
msdcsc.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" msdcsc.exe -
Disables Task Manager via registry modification
-
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1435c8d7a0157784e181d48ea5aa24b3_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation 1435c8d7a0157784e181d48ea5aa24b3_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 1664 msdcsc.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
1435c8d7a0157784e181d48ea5aa24b3_JaffaCakes118.exemsdcsc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 1435c8d7a0157784e181d48ea5aa24b3_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3444 4656 WerFault.exe notepad.exe -
Modifies registry class 1 IoCs
Processes:
1435c8d7a0157784e181d48ea5aa24b3_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 1435c8d7a0157784e181d48ea5aa24b3_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msdcsc.exepid process 1664 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
1435c8d7a0157784e181d48ea5aa24b3_JaffaCakes118.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 3472 1435c8d7a0157784e181d48ea5aa24b3_JaffaCakes118.exe Token: SeSecurityPrivilege 3472 1435c8d7a0157784e181d48ea5aa24b3_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 3472 1435c8d7a0157784e181d48ea5aa24b3_JaffaCakes118.exe Token: SeLoadDriverPrivilege 3472 1435c8d7a0157784e181d48ea5aa24b3_JaffaCakes118.exe Token: SeSystemProfilePrivilege 3472 1435c8d7a0157784e181d48ea5aa24b3_JaffaCakes118.exe Token: SeSystemtimePrivilege 3472 1435c8d7a0157784e181d48ea5aa24b3_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 3472 1435c8d7a0157784e181d48ea5aa24b3_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 3472 1435c8d7a0157784e181d48ea5aa24b3_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 3472 1435c8d7a0157784e181d48ea5aa24b3_JaffaCakes118.exe Token: SeBackupPrivilege 3472 1435c8d7a0157784e181d48ea5aa24b3_JaffaCakes118.exe Token: SeRestorePrivilege 3472 1435c8d7a0157784e181d48ea5aa24b3_JaffaCakes118.exe Token: SeShutdownPrivilege 3472 1435c8d7a0157784e181d48ea5aa24b3_JaffaCakes118.exe Token: SeDebugPrivilege 3472 1435c8d7a0157784e181d48ea5aa24b3_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 3472 1435c8d7a0157784e181d48ea5aa24b3_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 3472 1435c8d7a0157784e181d48ea5aa24b3_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 3472 1435c8d7a0157784e181d48ea5aa24b3_JaffaCakes118.exe Token: SeUndockPrivilege 3472 1435c8d7a0157784e181d48ea5aa24b3_JaffaCakes118.exe Token: SeManageVolumePrivilege 3472 1435c8d7a0157784e181d48ea5aa24b3_JaffaCakes118.exe Token: SeImpersonatePrivilege 3472 1435c8d7a0157784e181d48ea5aa24b3_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 3472 1435c8d7a0157784e181d48ea5aa24b3_JaffaCakes118.exe Token: 33 3472 1435c8d7a0157784e181d48ea5aa24b3_JaffaCakes118.exe Token: 34 3472 1435c8d7a0157784e181d48ea5aa24b3_JaffaCakes118.exe Token: 35 3472 1435c8d7a0157784e181d48ea5aa24b3_JaffaCakes118.exe Token: 36 3472 1435c8d7a0157784e181d48ea5aa24b3_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 1664 msdcsc.exe Token: SeSecurityPrivilege 1664 msdcsc.exe Token: SeTakeOwnershipPrivilege 1664 msdcsc.exe Token: SeLoadDriverPrivilege 1664 msdcsc.exe Token: SeSystemProfilePrivilege 1664 msdcsc.exe Token: SeSystemtimePrivilege 1664 msdcsc.exe Token: SeProfSingleProcessPrivilege 1664 msdcsc.exe Token: SeIncBasePriorityPrivilege 1664 msdcsc.exe Token: SeCreatePagefilePrivilege 1664 msdcsc.exe Token: SeBackupPrivilege 1664 msdcsc.exe Token: SeRestorePrivilege 1664 msdcsc.exe Token: SeShutdownPrivilege 1664 msdcsc.exe Token: SeDebugPrivilege 1664 msdcsc.exe Token: SeSystemEnvironmentPrivilege 1664 msdcsc.exe Token: SeChangeNotifyPrivilege 1664 msdcsc.exe Token: SeRemoteShutdownPrivilege 1664 msdcsc.exe Token: SeUndockPrivilege 1664 msdcsc.exe Token: SeManageVolumePrivilege 1664 msdcsc.exe Token: SeImpersonatePrivilege 1664 msdcsc.exe Token: SeCreateGlobalPrivilege 1664 msdcsc.exe Token: 33 1664 msdcsc.exe Token: 34 1664 msdcsc.exe Token: 35 1664 msdcsc.exe Token: 36 1664 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 1664 msdcsc.exe -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
1435c8d7a0157784e181d48ea5aa24b3_JaffaCakes118.execmd.exemsdcsc.exedescription pid process target process PID 3472 wrote to memory of 3712 3472 1435c8d7a0157784e181d48ea5aa24b3_JaffaCakes118.exe cmd.exe PID 3472 wrote to memory of 3712 3472 1435c8d7a0157784e181d48ea5aa24b3_JaffaCakes118.exe cmd.exe PID 3472 wrote to memory of 3712 3472 1435c8d7a0157784e181d48ea5aa24b3_JaffaCakes118.exe cmd.exe PID 3712 wrote to memory of 4704 3712 cmd.exe attrib.exe PID 3712 wrote to memory of 4704 3712 cmd.exe attrib.exe PID 3712 wrote to memory of 4704 3712 cmd.exe attrib.exe PID 3472 wrote to memory of 1664 3472 1435c8d7a0157784e181d48ea5aa24b3_JaffaCakes118.exe msdcsc.exe PID 3472 wrote to memory of 1664 3472 1435c8d7a0157784e181d48ea5aa24b3_JaffaCakes118.exe msdcsc.exe PID 3472 wrote to memory of 1664 3472 1435c8d7a0157784e181d48ea5aa24b3_JaffaCakes118.exe msdcsc.exe PID 1664 wrote to memory of 4656 1664 msdcsc.exe notepad.exe PID 1664 wrote to memory of 4656 1664 msdcsc.exe notepad.exe PID 1664 wrote to memory of 4656 1664 msdcsc.exe notepad.exe PID 1664 wrote to memory of 4656 1664 msdcsc.exe notepad.exe PID 1664 wrote to memory of 4656 1664 msdcsc.exe notepad.exe PID 1664 wrote to memory of 4656 1664 msdcsc.exe notepad.exe PID 1664 wrote to memory of 4656 1664 msdcsc.exe notepad.exe PID 1664 wrote to memory of 4656 1664 msdcsc.exe notepad.exe PID 1664 wrote to memory of 4656 1664 msdcsc.exe notepad.exe PID 1664 wrote to memory of 4656 1664 msdcsc.exe notepad.exe PID 1664 wrote to memory of 4656 1664 msdcsc.exe notepad.exe PID 1664 wrote to memory of 4656 1664 msdcsc.exe notepad.exe PID 1664 wrote to memory of 4656 1664 msdcsc.exe notepad.exe PID 1664 wrote to memory of 4656 1664 msdcsc.exe notepad.exe PID 1664 wrote to memory of 4656 1664 msdcsc.exe notepad.exe PID 1664 wrote to memory of 4656 1664 msdcsc.exe notepad.exe PID 1664 wrote to memory of 4656 1664 msdcsc.exe notepad.exe PID 1664 wrote to memory of 4656 1664 msdcsc.exe notepad.exe PID 1664 wrote to memory of 4656 1664 msdcsc.exe notepad.exe PID 1664 wrote to memory of 4656 1664 msdcsc.exe notepad.exe PID 1664 wrote to memory of 4656 1664 msdcsc.exe notepad.exe PID 1664 wrote to memory of 4656 1664 msdcsc.exe notepad.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\1435c8d7a0157784e181d48ea5aa24b3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1435c8d7a0157784e181d48ea5aa24b3_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3472 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
PID:3712 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:4704 -
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1664 -
C:\Windows\SysWOW64\notepad.exenotepad3⤵PID:4656
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 4656 -s 4164⤵
- Program crash
PID:3444
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 4656 -ip 46561⤵PID:1556
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
421KB
MD51435c8d7a0157784e181d48ea5aa24b3
SHA1dfa8c21ef3373153160a29324073fb9e875dc1fe
SHA256d4f6824fcfac08808c07fdc5127abcb1df78cb6ba4fb4689a56413b24ace19d5
SHA512b92579de58cee65f63066c2891c6aa38151d55f81973a3fff8701f0e94aae8fd14fa0fe652c0de48b1040ba2fc46a0999db6f2a1eede803db63f90f6df482b3e