Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
27-06-2024 13:50
Static task
static1
Behavioral task
behavioral1
Sample
163b14745b63876196be7dd7e91c1be2_JaffaCakes118.exe
Resource
win7-20240508-en
General
-
Target
163b14745b63876196be7dd7e91c1be2_JaffaCakes118.exe
-
Size
332KB
-
MD5
163b14745b63876196be7dd7e91c1be2
-
SHA1
c7c6940cf4f05ad67b5cb141d98c7c208b2e6885
-
SHA256
083e6e89198bd3088d2798d4e22e72e577666cbc16884e464766504c70ef4276
-
SHA512
795cfb77ef725c34aa62757cf6c321cf671c10825d832325c687b96bebbd9ccaf4db90df917d58d0a0d4ab50985dce174dee47836ea62eb916312bce2cfc9da6
-
SSDEEP
6144:sYLtU7Ixhnhz5qLZWBRyve1+HxhV+baign+kuERMEnBa:7sI3lQK71870baign+kRXnI
Malware Config
Extracted
darkcomet
One-Dz
fucksuck.myftp.org:100
DC_MUTEX-BV4T666
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
isDoctiQ3i8k
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
163b14745b63876196be7dd7e91c1be2_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" 163b14745b63876196be7dd7e91c1be2_JaffaCakes118.exe -
Modifies firewall policy service 3 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msdcsc.exe -
Modifies security service 2 TTPs 1 IoCs
Processes:
msdcsc.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" msdcsc.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 3476 attrib.exe 1136 attrib.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
163b14745b63876196be7dd7e91c1be2_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\Control Panel\International\Geo\Nation 163b14745b63876196be7dd7e91c1be2_JaffaCakes118.exe -
Deletes itself 1 IoCs
Processes:
notepad.exepid process 1052 notepad.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 3672 msdcsc.exe -
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
163b14745b63876196be7dd7e91c1be2_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2080292272-204036150-2159171770-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" 163b14745b63876196be7dd7e91c1be2_JaffaCakes118.exe -
Drops file in System32 directory 3 IoCs
Processes:
163b14745b63876196be7dd7e91c1be2_JaffaCakes118.exedescription ioc process File opened for modification C:\Windows\SysWOW64\MSDCSC\ 163b14745b63876196be7dd7e91c1be2_JaffaCakes118.exe File created C:\Windows\SysWOW64\MSDCSC\msdcsc.exe 163b14745b63876196be7dd7e91c1be2_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\msdcsc.exe 163b14745b63876196be7dd7e91c1be2_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
163b14745b63876196be7dd7e91c1be2_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 163b14745b63876196be7dd7e91c1be2_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msdcsc.exepid process 3672 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
163b14745b63876196be7dd7e91c1be2_JaffaCakes118.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 3644 163b14745b63876196be7dd7e91c1be2_JaffaCakes118.exe Token: SeSecurityPrivilege 3644 163b14745b63876196be7dd7e91c1be2_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 3644 163b14745b63876196be7dd7e91c1be2_JaffaCakes118.exe Token: SeLoadDriverPrivilege 3644 163b14745b63876196be7dd7e91c1be2_JaffaCakes118.exe Token: SeSystemProfilePrivilege 3644 163b14745b63876196be7dd7e91c1be2_JaffaCakes118.exe Token: SeSystemtimePrivilege 3644 163b14745b63876196be7dd7e91c1be2_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 3644 163b14745b63876196be7dd7e91c1be2_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 3644 163b14745b63876196be7dd7e91c1be2_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 3644 163b14745b63876196be7dd7e91c1be2_JaffaCakes118.exe Token: SeBackupPrivilege 3644 163b14745b63876196be7dd7e91c1be2_JaffaCakes118.exe Token: SeRestorePrivilege 3644 163b14745b63876196be7dd7e91c1be2_JaffaCakes118.exe Token: SeShutdownPrivilege 3644 163b14745b63876196be7dd7e91c1be2_JaffaCakes118.exe Token: SeDebugPrivilege 3644 163b14745b63876196be7dd7e91c1be2_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 3644 163b14745b63876196be7dd7e91c1be2_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 3644 163b14745b63876196be7dd7e91c1be2_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 3644 163b14745b63876196be7dd7e91c1be2_JaffaCakes118.exe Token: SeUndockPrivilege 3644 163b14745b63876196be7dd7e91c1be2_JaffaCakes118.exe Token: SeManageVolumePrivilege 3644 163b14745b63876196be7dd7e91c1be2_JaffaCakes118.exe Token: SeImpersonatePrivilege 3644 163b14745b63876196be7dd7e91c1be2_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 3644 163b14745b63876196be7dd7e91c1be2_JaffaCakes118.exe Token: 33 3644 163b14745b63876196be7dd7e91c1be2_JaffaCakes118.exe Token: 34 3644 163b14745b63876196be7dd7e91c1be2_JaffaCakes118.exe Token: 35 3644 163b14745b63876196be7dd7e91c1be2_JaffaCakes118.exe Token: 36 3644 163b14745b63876196be7dd7e91c1be2_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 3672 msdcsc.exe Token: SeSecurityPrivilege 3672 msdcsc.exe Token: SeTakeOwnershipPrivilege 3672 msdcsc.exe Token: SeLoadDriverPrivilege 3672 msdcsc.exe Token: SeSystemProfilePrivilege 3672 msdcsc.exe Token: SeSystemtimePrivilege 3672 msdcsc.exe Token: SeProfSingleProcessPrivilege 3672 msdcsc.exe Token: SeIncBasePriorityPrivilege 3672 msdcsc.exe Token: SeCreatePagefilePrivilege 3672 msdcsc.exe Token: SeBackupPrivilege 3672 msdcsc.exe Token: SeRestorePrivilege 3672 msdcsc.exe Token: SeShutdownPrivilege 3672 msdcsc.exe Token: SeDebugPrivilege 3672 msdcsc.exe Token: SeSystemEnvironmentPrivilege 3672 msdcsc.exe Token: SeChangeNotifyPrivilege 3672 msdcsc.exe Token: SeRemoteShutdownPrivilege 3672 msdcsc.exe Token: SeUndockPrivilege 3672 msdcsc.exe Token: SeManageVolumePrivilege 3672 msdcsc.exe Token: SeImpersonatePrivilege 3672 msdcsc.exe Token: SeCreateGlobalPrivilege 3672 msdcsc.exe Token: 33 3672 msdcsc.exe Token: 34 3672 msdcsc.exe Token: 35 3672 msdcsc.exe Token: 36 3672 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 3672 msdcsc.exe -
Suspicious use of WriteProcessMemory 59 IoCs
Processes:
163b14745b63876196be7dd7e91c1be2_JaffaCakes118.execmd.execmd.exemsdcsc.exedescription pid process target process PID 3644 wrote to memory of 964 3644 163b14745b63876196be7dd7e91c1be2_JaffaCakes118.exe cmd.exe PID 3644 wrote to memory of 964 3644 163b14745b63876196be7dd7e91c1be2_JaffaCakes118.exe cmd.exe PID 3644 wrote to memory of 964 3644 163b14745b63876196be7dd7e91c1be2_JaffaCakes118.exe cmd.exe PID 3644 wrote to memory of 712 3644 163b14745b63876196be7dd7e91c1be2_JaffaCakes118.exe cmd.exe PID 3644 wrote to memory of 712 3644 163b14745b63876196be7dd7e91c1be2_JaffaCakes118.exe cmd.exe PID 3644 wrote to memory of 712 3644 163b14745b63876196be7dd7e91c1be2_JaffaCakes118.exe cmd.exe PID 3644 wrote to memory of 1052 3644 163b14745b63876196be7dd7e91c1be2_JaffaCakes118.exe notepad.exe PID 3644 wrote to memory of 1052 3644 163b14745b63876196be7dd7e91c1be2_JaffaCakes118.exe notepad.exe PID 3644 wrote to memory of 1052 3644 163b14745b63876196be7dd7e91c1be2_JaffaCakes118.exe notepad.exe PID 3644 wrote to memory of 1052 3644 163b14745b63876196be7dd7e91c1be2_JaffaCakes118.exe notepad.exe PID 3644 wrote to memory of 1052 3644 163b14745b63876196be7dd7e91c1be2_JaffaCakes118.exe notepad.exe PID 3644 wrote to memory of 1052 3644 163b14745b63876196be7dd7e91c1be2_JaffaCakes118.exe notepad.exe PID 3644 wrote to memory of 1052 3644 163b14745b63876196be7dd7e91c1be2_JaffaCakes118.exe notepad.exe PID 3644 wrote to memory of 1052 3644 163b14745b63876196be7dd7e91c1be2_JaffaCakes118.exe notepad.exe PID 3644 wrote to memory of 1052 3644 163b14745b63876196be7dd7e91c1be2_JaffaCakes118.exe notepad.exe PID 3644 wrote to memory of 1052 3644 163b14745b63876196be7dd7e91c1be2_JaffaCakes118.exe notepad.exe PID 3644 wrote to memory of 1052 3644 163b14745b63876196be7dd7e91c1be2_JaffaCakes118.exe notepad.exe PID 3644 wrote to memory of 1052 3644 163b14745b63876196be7dd7e91c1be2_JaffaCakes118.exe notepad.exe PID 3644 wrote to memory of 1052 3644 163b14745b63876196be7dd7e91c1be2_JaffaCakes118.exe notepad.exe PID 3644 wrote to memory of 1052 3644 163b14745b63876196be7dd7e91c1be2_JaffaCakes118.exe notepad.exe PID 3644 wrote to memory of 1052 3644 163b14745b63876196be7dd7e91c1be2_JaffaCakes118.exe notepad.exe PID 3644 wrote to memory of 1052 3644 163b14745b63876196be7dd7e91c1be2_JaffaCakes118.exe notepad.exe PID 3644 wrote to memory of 1052 3644 163b14745b63876196be7dd7e91c1be2_JaffaCakes118.exe notepad.exe PID 964 wrote to memory of 3476 964 cmd.exe attrib.exe PID 964 wrote to memory of 3476 964 cmd.exe attrib.exe PID 964 wrote to memory of 3476 964 cmd.exe attrib.exe PID 712 wrote to memory of 1136 712 cmd.exe attrib.exe PID 712 wrote to memory of 1136 712 cmd.exe attrib.exe PID 712 wrote to memory of 1136 712 cmd.exe attrib.exe PID 3644 wrote to memory of 3672 3644 163b14745b63876196be7dd7e91c1be2_JaffaCakes118.exe msdcsc.exe PID 3644 wrote to memory of 3672 3644 163b14745b63876196be7dd7e91c1be2_JaffaCakes118.exe msdcsc.exe PID 3644 wrote to memory of 3672 3644 163b14745b63876196be7dd7e91c1be2_JaffaCakes118.exe msdcsc.exe PID 3672 wrote to memory of 2080 3672 msdcsc.exe iexplore.exe PID 3672 wrote to memory of 2080 3672 msdcsc.exe iexplore.exe PID 3672 wrote to memory of 2080 3672 msdcsc.exe iexplore.exe PID 3672 wrote to memory of 3928 3672 msdcsc.exe explorer.exe PID 3672 wrote to memory of 3928 3672 msdcsc.exe explorer.exe PID 3672 wrote to memory of 3584 3672 msdcsc.exe notepad.exe PID 3672 wrote to memory of 3584 3672 msdcsc.exe notepad.exe PID 3672 wrote to memory of 3584 3672 msdcsc.exe notepad.exe PID 3672 wrote to memory of 3584 3672 msdcsc.exe notepad.exe PID 3672 wrote to memory of 3584 3672 msdcsc.exe notepad.exe PID 3672 wrote to memory of 3584 3672 msdcsc.exe notepad.exe PID 3672 wrote to memory of 3584 3672 msdcsc.exe notepad.exe PID 3672 wrote to memory of 3584 3672 msdcsc.exe notepad.exe PID 3672 wrote to memory of 3584 3672 msdcsc.exe notepad.exe PID 3672 wrote to memory of 3584 3672 msdcsc.exe notepad.exe PID 3672 wrote to memory of 3584 3672 msdcsc.exe notepad.exe PID 3672 wrote to memory of 3584 3672 msdcsc.exe notepad.exe PID 3672 wrote to memory of 3584 3672 msdcsc.exe notepad.exe PID 3672 wrote to memory of 3584 3672 msdcsc.exe notepad.exe PID 3672 wrote to memory of 3584 3672 msdcsc.exe notepad.exe PID 3672 wrote to memory of 3584 3672 msdcsc.exe notepad.exe PID 3672 wrote to memory of 3584 3672 msdcsc.exe notepad.exe PID 3672 wrote to memory of 3584 3672 msdcsc.exe notepad.exe PID 3672 wrote to memory of 3584 3672 msdcsc.exe notepad.exe PID 3672 wrote to memory of 3584 3672 msdcsc.exe notepad.exe PID 3672 wrote to memory of 3584 3672 msdcsc.exe notepad.exe PID 3672 wrote to memory of 3584 3672 msdcsc.exe notepad.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
msdcsc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern msdcsc.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 1136 attrib.exe 3476 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\163b14745b63876196be7dd7e91c1be2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\163b14745b63876196be7dd7e91c1be2_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3644 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\163b14745b63876196be7dd7e91c1be2_JaffaCakes118.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
PID:964 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\163b14745b63876196be7dd7e91c1be2_JaffaCakes118.exe" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:3476 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
PID:712 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
PID:1136 -
C:\Windows\SysWOW64\notepad.exenotepad2⤵
- Deletes itself
PID:1052 -
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"2⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3672 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵PID:2080
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"3⤵PID:3928
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵PID:3584
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
332KB
MD5163b14745b63876196be7dd7e91c1be2
SHA1c7c6940cf4f05ad67b5cb141d98c7c208b2e6885
SHA256083e6e89198bd3088d2798d4e22e72e577666cbc16884e464766504c70ef4276
SHA512795cfb77ef725c34aa62757cf6c321cf671c10825d832325c687b96bebbd9ccaf4db90df917d58d0a0d4ab50985dce174dee47836ea62eb916312bce2cfc9da6