Analysis
-
max time kernel
133s -
max time network
103s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
27-06-2024 16:38
Static task
static1
Behavioral task
behavioral1
Sample
16b8315c6de1994bdcbc0faf574a162b_JaffaCakes118.exe
Resource
win7-20240611-en
General
-
Target
16b8315c6de1994bdcbc0faf574a162b_JaffaCakes118.exe
-
Size
300KB
-
MD5
16b8315c6de1994bdcbc0faf574a162b
-
SHA1
38c2018b835dcc8dd6e6c156f7619c8e0acc493d
-
SHA256
018556978f8a8e862bb57db11a55e0be62b424db127b66cd77451fe970b30ee0
-
SHA512
85f5c29486979cb3480fbfa9ab302a29463b060b12dc3aa95785037cfdc2b7f917492f8a1f3a7043d80ef09dca38b908b0f4423907f31148b8c554323fdca4f2
-
SSDEEP
6144:63EriZWNoVdGEu3j1LdH+gYOFtDD02M14rqM:8EWdGn3jzH+ca5M
Malware Config
Extracted
darkcomet
User
97.81.46.17:1604
socksproxy1.serveftp.com:1604
DC_MUTEX-R0MQYLT
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
SkFtw2Fer8G2
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
vbc.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\msdcsc.exe" vbc.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 2044 attrib.exe 4668 attrib.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
16b8315c6de1994bdcbc0faf574a162b_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\Control Panel\International\Geo\Nation 16b8315c6de1994bdcbc0faf574a162b_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
Processes:
msconfig.exemsdcsc.exepid process 3024 msconfig.exe 1328 msdcsc.exe -
Processes:
resource yara_rule behavioral2/memory/3004-20-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral2/memory/3004-22-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral2/memory/3004-24-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral2/memory/3004-23-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral2/memory/3004-19-0x0000000000400000-0x00000000004B9000-memory.dmp upx behavioral2/memory/3004-34-0x0000000000400000-0x00000000004B9000-memory.dmp upx -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
msconfig.exevbc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\18.exe = "C:\\Users\\Admin\\AppData\\RoamingMicrosoft\\System\\Services\\18.exe" msconfig.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Windows\CurrentVersion\Run\18.exe = "C:\\Users\\Admin\\AppData\\RoamingMicrosoft\\System\\Services\\18.exe" msconfig.exe Set value (str) \REGISTRY\USER\S-1-5-21-200405930-3877336739-3533750831-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\msdcsc.exe" vbc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
msconfig.exedescription pid process target process PID 3024 set thread context of 3004 3024 msconfig.exe vbc.exe -
Drops file in Windows directory 2 IoCs
Processes:
attrib.exeattrib.exedescription ioc process File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe attrib.exe File opened for modification C:\Windows\Microsoft.NET\Framework\v2.0.50727 attrib.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 12 IoCs
Processes:
msconfig.exepid process 3024 msconfig.exe 3024 msconfig.exe 3024 msconfig.exe 3024 msconfig.exe 3024 msconfig.exe 3024 msconfig.exe 3024 msconfig.exe 3024 msconfig.exe 3024 msconfig.exe 3024 msconfig.exe 3024 msconfig.exe 3024 msconfig.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
Processes:
msconfig.exevbc.exedescription pid process Token: SeDebugPrivilege 3024 msconfig.exe Token: SeIncreaseQuotaPrivilege 3004 vbc.exe Token: SeSecurityPrivilege 3004 vbc.exe Token: SeTakeOwnershipPrivilege 3004 vbc.exe Token: SeLoadDriverPrivilege 3004 vbc.exe Token: SeSystemProfilePrivilege 3004 vbc.exe Token: SeSystemtimePrivilege 3004 vbc.exe Token: SeProfSingleProcessPrivilege 3004 vbc.exe Token: SeIncBasePriorityPrivilege 3004 vbc.exe Token: SeCreatePagefilePrivilege 3004 vbc.exe Token: SeBackupPrivilege 3004 vbc.exe Token: SeRestorePrivilege 3004 vbc.exe Token: SeShutdownPrivilege 3004 vbc.exe Token: SeDebugPrivilege 3004 vbc.exe Token: SeSystemEnvironmentPrivilege 3004 vbc.exe Token: SeChangeNotifyPrivilege 3004 vbc.exe Token: SeRemoteShutdownPrivilege 3004 vbc.exe Token: SeUndockPrivilege 3004 vbc.exe Token: SeManageVolumePrivilege 3004 vbc.exe Token: SeImpersonatePrivilege 3004 vbc.exe Token: SeCreateGlobalPrivilege 3004 vbc.exe Token: 33 3004 vbc.exe Token: 34 3004 vbc.exe Token: 35 3004 vbc.exe Token: 36 3004 vbc.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
16b8315c6de1994bdcbc0faf574a162b_JaffaCakes118.exemsconfig.exevbc.execmd.execmd.exedescription pid process target process PID 3588 wrote to memory of 3024 3588 16b8315c6de1994bdcbc0faf574a162b_JaffaCakes118.exe msconfig.exe PID 3588 wrote to memory of 3024 3588 16b8315c6de1994bdcbc0faf574a162b_JaffaCakes118.exe msconfig.exe PID 3588 wrote to memory of 3024 3588 16b8315c6de1994bdcbc0faf574a162b_JaffaCakes118.exe msconfig.exe PID 3024 wrote to memory of 3004 3024 msconfig.exe vbc.exe PID 3024 wrote to memory of 3004 3024 msconfig.exe vbc.exe PID 3024 wrote to memory of 3004 3024 msconfig.exe vbc.exe PID 3024 wrote to memory of 3004 3024 msconfig.exe vbc.exe PID 3024 wrote to memory of 3004 3024 msconfig.exe vbc.exe PID 3024 wrote to memory of 3004 3024 msconfig.exe vbc.exe PID 3024 wrote to memory of 3004 3024 msconfig.exe vbc.exe PID 3024 wrote to memory of 3004 3024 msconfig.exe vbc.exe PID 3004 wrote to memory of 2176 3004 vbc.exe cmd.exe PID 3004 wrote to memory of 2176 3004 vbc.exe cmd.exe PID 3004 wrote to memory of 2176 3004 vbc.exe cmd.exe PID 3004 wrote to memory of 3268 3004 vbc.exe cmd.exe PID 3004 wrote to memory of 3268 3004 vbc.exe cmd.exe PID 3004 wrote to memory of 3268 3004 vbc.exe cmd.exe PID 3004 wrote to memory of 1328 3004 vbc.exe msdcsc.exe PID 3004 wrote to memory of 1328 3004 vbc.exe msdcsc.exe PID 3004 wrote to memory of 1328 3004 vbc.exe msdcsc.exe PID 2176 wrote to memory of 2044 2176 cmd.exe attrib.exe PID 2176 wrote to memory of 2044 2176 cmd.exe attrib.exe PID 2176 wrote to memory of 2044 2176 cmd.exe attrib.exe PID 3268 wrote to memory of 4668 3268 cmd.exe attrib.exe PID 3268 wrote to memory of 4668 3268 cmd.exe attrib.exe PID 3268 wrote to memory of 4668 3268 cmd.exe attrib.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 2044 attrib.exe 4668 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\16b8315c6de1994bdcbc0faf574a162b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\16b8315c6de1994bdcbc0faf574a162b_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:3588 -
C:\Users\Admin\AppData\Roaming\msconfig.exe"C:\Users\Admin\AppData\Roaming\msconfig.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3024 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe3⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3004 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h4⤵
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h5⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:2044 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h4⤵
- Suspicious use of WriteProcessMemory
PID:3268 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h5⤵
- Sets file to hidden
- Drops file in Windows directory
- Views/modifies file attributes
PID:4668 -
C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe"C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe"4⤵
- Executes dropped EXE
PID:1328
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5d881de17aa8f2e2c08cbb7b265f928f9
SHA108936aebc87decf0af6e8eada191062b5e65ac2a
SHA256b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0
SHA5125f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34
-
Filesize
300KB
MD516b8315c6de1994bdcbc0faf574a162b
SHA138c2018b835dcc8dd6e6c156f7619c8e0acc493d
SHA256018556978f8a8e862bb57db11a55e0be62b424db127b66cd77451fe970b30ee0
SHA51285f5c29486979cb3480fbfa9ab302a29463b060b12dc3aa95785037cfdc2b7f917492f8a1f3a7043d80ef09dca38b908b0f4423907f31148b8c554323fdca4f2