Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240419-en -
resource tags
arch:x64arch:x86image:win7-20240419-enlocale:en-usos:windows7-x64system -
submitted
27-06-2024 02:43
Static task
static1
Behavioral task
behavioral1
Sample
1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe
Resource
win7-20240419-en
General
-
Target
1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe
-
Size
390KB
-
MD5
1464f3dcd4b0d324dba1f25edfdfbc48
-
SHA1
783bc3b80a525a199d8455a770538c6ffc1d9763
-
SHA256
76e44b55cee89612253fc46a745d993c410d9f4c81e18b2b90a2b42dd9f81909
-
SHA512
8f70177a7f0ee6a60880aa6d126ab679763670842db2b49e88e2f8e8e2995f494204687f3591bca0b570b3316d3c0701c29b287cc421c069c427829334044dcc
-
SSDEEP
6144:OHDpevpiZ+BrNgMvrW8L8axJ1jh4LmXJljbPYj0hX/bOV3wobnzLX:OV+piZ+BhPvrW84ch4L0/QjeP0RzL
Malware Config
Extracted
darkcomet
®2050
127solo4ever.no-ip.info:7695
DC_MUTEX-JX4GZZ5
-
InstallPath
MSDCSC\HostServices.exe
-
gencode
jm3NqZerrg9Z
-
install
true
-
offline_keylogger
true
-
password
8621
-
persistence
true
-
reg_key
Microsoft corporation
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\HostServices.exe" 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 2500 attrib.exe 2676 attrib.exe -
Deletes itself 1 IoCs
Processes:
notepad.exepid process 2756 notepad.exe -
Executes dropped EXE 2 IoCs
Processes:
HostServices.exeHostServices.exepid process 2708 HostServices.exe 2612 HostServices.exe -
Loads dropped DLL 3 IoCs
Processes:
1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exeHostServices.exepid process 2404 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe 2404 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe 2708 HostServices.exe -
Processes:
resource yara_rule behavioral1/memory/2404-2-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral1/memory/2404-11-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral1/memory/2404-12-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral1/memory/2404-6-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral1/memory/2404-4-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral1/memory/2404-13-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral1/memory/2404-14-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral1/memory/2404-15-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral1/memory/2404-17-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral1/memory/2404-16-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral1/memory/2404-48-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral1/memory/2612-66-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral1/memory/2612-65-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral1/memory/2612-67-0x0000000000400000-0x00000000004CA000-memory.dmp upx behavioral1/memory/2612-111-0x0000000000400000-0x00000000004CA000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exeHostServices.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft corporation = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\HostServices.exe" 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-481678230-3773327859-3495911762-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft corporation = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\HostServices.exe" HostServices.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exeHostServices.exedescription pid process target process PID 2352 set thread context of 2404 2352 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe PID 2708 set thread context of 2612 2708 HostServices.exe HostServices.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exeHostServices.exedescription pid process Token: SeIncreaseQuotaPrivilege 2404 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe Token: SeSecurityPrivilege 2404 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 2404 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe Token: SeLoadDriverPrivilege 2404 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe Token: SeSystemProfilePrivilege 2404 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe Token: SeSystemtimePrivilege 2404 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 2404 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2404 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 2404 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe Token: SeBackupPrivilege 2404 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe Token: SeRestorePrivilege 2404 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe Token: SeShutdownPrivilege 2404 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe Token: SeDebugPrivilege 2404 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 2404 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 2404 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 2404 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe Token: SeUndockPrivilege 2404 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe Token: SeManageVolumePrivilege 2404 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe Token: SeImpersonatePrivilege 2404 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 2404 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe Token: 33 2404 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe Token: 34 2404 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe Token: 35 2404 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2612 HostServices.exe Token: SeSecurityPrivilege 2612 HostServices.exe Token: SeTakeOwnershipPrivilege 2612 HostServices.exe Token: SeLoadDriverPrivilege 2612 HostServices.exe Token: SeSystemProfilePrivilege 2612 HostServices.exe Token: SeSystemtimePrivilege 2612 HostServices.exe Token: SeProfSingleProcessPrivilege 2612 HostServices.exe Token: SeIncBasePriorityPrivilege 2612 HostServices.exe Token: SeCreatePagefilePrivilege 2612 HostServices.exe Token: SeBackupPrivilege 2612 HostServices.exe Token: SeRestorePrivilege 2612 HostServices.exe Token: SeShutdownPrivilege 2612 HostServices.exe Token: SeDebugPrivilege 2612 HostServices.exe Token: SeSystemEnvironmentPrivilege 2612 HostServices.exe Token: SeChangeNotifyPrivilege 2612 HostServices.exe Token: SeRemoteShutdownPrivilege 2612 HostServices.exe Token: SeUndockPrivilege 2612 HostServices.exe Token: SeManageVolumePrivilege 2612 HostServices.exe Token: SeImpersonatePrivilege 2612 HostServices.exe Token: SeCreateGlobalPrivilege 2612 HostServices.exe Token: 33 2612 HostServices.exe Token: 34 2612 HostServices.exe Token: 35 2612 HostServices.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
HostServices.exepid process 2612 HostServices.exe -
Suspicious use of WriteProcessMemory 64 IoCs
Processes:
1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.execmd.execmd.exeHostServices.exeHostServices.exedescription pid process target process PID 2352 wrote to memory of 2404 2352 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe PID 2352 wrote to memory of 2404 2352 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe PID 2352 wrote to memory of 2404 2352 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe PID 2352 wrote to memory of 2404 2352 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe PID 2352 wrote to memory of 2404 2352 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe PID 2352 wrote to memory of 2404 2352 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe PID 2352 wrote to memory of 2404 2352 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe PID 2352 wrote to memory of 2404 2352 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe PID 2404 wrote to memory of 2748 2404 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe cmd.exe PID 2404 wrote to memory of 2748 2404 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe cmd.exe PID 2404 wrote to memory of 2748 2404 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe cmd.exe PID 2404 wrote to memory of 2748 2404 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe cmd.exe PID 2404 wrote to memory of 2760 2404 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe cmd.exe PID 2404 wrote to memory of 2760 2404 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe cmd.exe PID 2404 wrote to memory of 2760 2404 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe cmd.exe PID 2404 wrote to memory of 2760 2404 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe cmd.exe PID 2404 wrote to memory of 2756 2404 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe notepad.exe PID 2404 wrote to memory of 2756 2404 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe notepad.exe PID 2404 wrote to memory of 2756 2404 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe notepad.exe PID 2404 wrote to memory of 2756 2404 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe notepad.exe PID 2404 wrote to memory of 2756 2404 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe notepad.exe PID 2404 wrote to memory of 2756 2404 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe notepad.exe PID 2404 wrote to memory of 2756 2404 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe notepad.exe PID 2404 wrote to memory of 2756 2404 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe notepad.exe PID 2404 wrote to memory of 2756 2404 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe notepad.exe PID 2404 wrote to memory of 2756 2404 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe notepad.exe PID 2404 wrote to memory of 2756 2404 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe notepad.exe PID 2404 wrote to memory of 2756 2404 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe notepad.exe PID 2404 wrote to memory of 2756 2404 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe notepad.exe PID 2404 wrote to memory of 2756 2404 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe notepad.exe PID 2404 wrote to memory of 2756 2404 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe notepad.exe PID 2404 wrote to memory of 2756 2404 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe notepad.exe PID 2404 wrote to memory of 2756 2404 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe notepad.exe PID 2404 wrote to memory of 2756 2404 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe notepad.exe PID 2760 wrote to memory of 2500 2760 cmd.exe attrib.exe PID 2760 wrote to memory of 2500 2760 cmd.exe attrib.exe PID 2760 wrote to memory of 2500 2760 cmd.exe attrib.exe PID 2760 wrote to memory of 2500 2760 cmd.exe attrib.exe PID 2748 wrote to memory of 2676 2748 cmd.exe attrib.exe PID 2748 wrote to memory of 2676 2748 cmd.exe attrib.exe PID 2748 wrote to memory of 2676 2748 cmd.exe attrib.exe PID 2748 wrote to memory of 2676 2748 cmd.exe attrib.exe PID 2404 wrote to memory of 2708 2404 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe HostServices.exe PID 2404 wrote to memory of 2708 2404 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe HostServices.exe PID 2404 wrote to memory of 2708 2404 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe HostServices.exe PID 2404 wrote to memory of 2708 2404 1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe HostServices.exe PID 2708 wrote to memory of 2612 2708 HostServices.exe HostServices.exe PID 2708 wrote to memory of 2612 2708 HostServices.exe HostServices.exe PID 2708 wrote to memory of 2612 2708 HostServices.exe HostServices.exe PID 2708 wrote to memory of 2612 2708 HostServices.exe HostServices.exe PID 2708 wrote to memory of 2612 2708 HostServices.exe HostServices.exe PID 2708 wrote to memory of 2612 2708 HostServices.exe HostServices.exe PID 2708 wrote to memory of 2612 2708 HostServices.exe HostServices.exe PID 2708 wrote to memory of 2612 2708 HostServices.exe HostServices.exe PID 2612 wrote to memory of 2880 2612 HostServices.exe notepad.exe PID 2612 wrote to memory of 2880 2612 HostServices.exe notepad.exe PID 2612 wrote to memory of 2880 2612 HostServices.exe notepad.exe PID 2612 wrote to memory of 2880 2612 HostServices.exe notepad.exe PID 2612 wrote to memory of 2880 2612 HostServices.exe notepad.exe PID 2612 wrote to memory of 2880 2612 HostServices.exe notepad.exe PID 2612 wrote to memory of 2880 2612 HostServices.exe notepad.exe PID 2612 wrote to memory of 2880 2612 HostServices.exe notepad.exe PID 2612 wrote to memory of 2880 2612 HostServices.exe notepad.exe PID 2612 wrote to memory of 2880 2612 HostServices.exe notepad.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 2500 attrib.exe 2676 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2352 -
C:\Users\Admin\AppData\Local\Temp\1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe2⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2404 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
PID:2748 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\1464f3dcd4b0d324dba1f25edfdfbc48_JaffaCakes118.exe" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2676 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Suspicious use of WriteProcessMemory
PID:2760 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2500 -
C:\Windows\SysWOW64\notepad.exenotepad3⤵
- Deletes itself
PID:2756 -
C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\HostServices.exe"C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\HostServices.exe"3⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
PID:2708 -
C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\HostServices.exe"C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\HostServices.exe"4⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2612 -
C:\Windows\SysWOW64\notepad.exenotepad5⤵PID:2880
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
390KB
MD51464f3dcd4b0d324dba1f25edfdfbc48
SHA1783bc3b80a525a199d8455a770538c6ffc1d9763
SHA25676e44b55cee89612253fc46a745d993c410d9f4c81e18b2b90a2b42dd9f81909
SHA5128f70177a7f0ee6a60880aa6d126ab679763670842db2b49e88e2f8e8e2995f494204687f3591bca0b570b3316d3c0701c29b287cc421c069c427829334044dcc