Analysis
-
max time kernel
150s -
max time network
147s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
22/07/2024, 13:13
Static task
static1
Behavioral task
behavioral1
Sample
634f31be903d4e65ad8b3a0267a3d6c0_JaffaCakes118.exe
Resource
win7-20240704-en
General
-
Target
634f31be903d4e65ad8b3a0267a3d6c0_JaffaCakes118.exe
-
Size
520KB
-
MD5
634f31be903d4e65ad8b3a0267a3d6c0
-
SHA1
ba059c4291ed67ce276bf9632ff81755fb70caa6
-
SHA256
816b8d84c864ab7ff7b322971b3aa3f9528889316b47d5ebefbc01bd9afe5fc7
-
SHA512
3778542923cd0b5acc7b65492472ce4564fe54319bbbd96c095527b811b9a42c77407fff61fe02a5db54e64b5ad7a1b5de1d163d3cbaa094ce63ef39b5fdf74b
-
SSDEEP
12288:G1kfgjd1A6jNaylJqJL0VLlmHd/cN+brXrWtTyFSCS:lgjk6jNaylU0Vg9/cN+XraaS
Malware Config
Extracted
darkcomet
retard
parafron.no-ip.biz:100
DC_MUTEX-NCUYYDW
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
H30PstbcYkSt
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Desktop\\MSDCSC\\msdcsc.exe" Stage1.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" msdcsc.exe -
Executes dropped EXE 4 IoCs
pid Process 1952 Crypted.exe 2952 Stage2.exe 2724 Stage1.exe 2924 msdcsc.exe -
Loads dropped DLL 15 IoCs
pid Process 1512 634f31be903d4e65ad8b3a0267a3d6c0_JaffaCakes118.exe 1952 Crypted.exe 1952 Crypted.exe 1952 Crypted.exe 1952 Crypted.exe 2952 Stage2.exe 2952 Stage2.exe 1952 Crypted.exe 1952 Crypted.exe 2724 Stage1.exe 2724 Stage1.exe 2724 Stage1.exe 2724 Stage1.exe 2924 msdcsc.exe 2924 msdcsc.exe -
resource yara_rule behavioral1/files/0x0008000000016d28-12.dat upx behavioral1/memory/1952-16-0x0000000002680000-0x00000000026C3000-memory.dmp upx behavioral1/memory/2952-27-0x0000000000400000-0x0000000000443000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Desktop\\MSDCSC\\msdcsc.exe" Stage1.exe Set value (str) \REGISTRY\USER\S-1-5-21-2212144002-1172735686-1556890956-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Desktop\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2724 Stage1.exe Token: SeSecurityPrivilege 2724 Stage1.exe Token: SeTakeOwnershipPrivilege 2724 Stage1.exe Token: SeLoadDriverPrivilege 2724 Stage1.exe Token: SeSystemProfilePrivilege 2724 Stage1.exe Token: SeSystemtimePrivilege 2724 Stage1.exe Token: SeProfSingleProcessPrivilege 2724 Stage1.exe Token: SeIncBasePriorityPrivilege 2724 Stage1.exe Token: SeCreatePagefilePrivilege 2724 Stage1.exe Token: SeBackupPrivilege 2724 Stage1.exe Token: SeRestorePrivilege 2724 Stage1.exe Token: SeShutdownPrivilege 2724 Stage1.exe Token: SeDebugPrivilege 2724 Stage1.exe Token: SeSystemEnvironmentPrivilege 2724 Stage1.exe Token: SeChangeNotifyPrivilege 2724 Stage1.exe Token: SeRemoteShutdownPrivilege 2724 Stage1.exe Token: SeUndockPrivilege 2724 Stage1.exe Token: SeManageVolumePrivilege 2724 Stage1.exe Token: SeImpersonatePrivilege 2724 Stage1.exe Token: SeCreateGlobalPrivilege 2724 Stage1.exe Token: 33 2724 Stage1.exe Token: 34 2724 Stage1.exe Token: 35 2724 Stage1.exe Token: SeIncreaseQuotaPrivilege 2924 msdcsc.exe Token: SeSecurityPrivilege 2924 msdcsc.exe Token: SeTakeOwnershipPrivilege 2924 msdcsc.exe Token: SeLoadDriverPrivilege 2924 msdcsc.exe Token: SeSystemProfilePrivilege 2924 msdcsc.exe Token: SeSystemtimePrivilege 2924 msdcsc.exe Token: SeProfSingleProcessPrivilege 2924 msdcsc.exe Token: SeIncBasePriorityPrivilege 2924 msdcsc.exe Token: SeCreatePagefilePrivilege 2924 msdcsc.exe Token: SeBackupPrivilege 2924 msdcsc.exe Token: SeRestorePrivilege 2924 msdcsc.exe Token: SeShutdownPrivilege 2924 msdcsc.exe Token: SeDebugPrivilege 2924 msdcsc.exe Token: SeSystemEnvironmentPrivilege 2924 msdcsc.exe Token: SeChangeNotifyPrivilege 2924 msdcsc.exe Token: SeRemoteShutdownPrivilege 2924 msdcsc.exe Token: SeUndockPrivilege 2924 msdcsc.exe Token: SeManageVolumePrivilege 2924 msdcsc.exe Token: SeImpersonatePrivilege 2924 msdcsc.exe Token: SeCreateGlobalPrivilege 2924 msdcsc.exe Token: 33 2924 msdcsc.exe Token: 34 2924 msdcsc.exe Token: 35 2924 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2924 msdcsc.exe -
Suspicious use of WriteProcessMemory 54 IoCs
description pid Process procid_target PID 1512 wrote to memory of 1952 1512 634f31be903d4e65ad8b3a0267a3d6c0_JaffaCakes118.exe 30 PID 1512 wrote to memory of 1952 1512 634f31be903d4e65ad8b3a0267a3d6c0_JaffaCakes118.exe 30 PID 1512 wrote to memory of 1952 1512 634f31be903d4e65ad8b3a0267a3d6c0_JaffaCakes118.exe 30 PID 1512 wrote to memory of 1952 1512 634f31be903d4e65ad8b3a0267a3d6c0_JaffaCakes118.exe 30 PID 1512 wrote to memory of 1952 1512 634f31be903d4e65ad8b3a0267a3d6c0_JaffaCakes118.exe 30 PID 1512 wrote to memory of 1952 1512 634f31be903d4e65ad8b3a0267a3d6c0_JaffaCakes118.exe 30 PID 1512 wrote to memory of 1952 1512 634f31be903d4e65ad8b3a0267a3d6c0_JaffaCakes118.exe 30 PID 1952 wrote to memory of 2952 1952 Crypted.exe 31 PID 1952 wrote to memory of 2952 1952 Crypted.exe 31 PID 1952 wrote to memory of 2952 1952 Crypted.exe 31 PID 1952 wrote to memory of 2952 1952 Crypted.exe 31 PID 1952 wrote to memory of 2952 1952 Crypted.exe 31 PID 1952 wrote to memory of 2952 1952 Crypted.exe 31 PID 1952 wrote to memory of 2952 1952 Crypted.exe 31 PID 1952 wrote to memory of 2724 1952 Crypted.exe 33 PID 1952 wrote to memory of 2724 1952 Crypted.exe 33 PID 1952 wrote to memory of 2724 1952 Crypted.exe 33 PID 1952 wrote to memory of 2724 1952 Crypted.exe 33 PID 1952 wrote to memory of 2724 1952 Crypted.exe 33 PID 1952 wrote to memory of 2724 1952 Crypted.exe 33 PID 1952 wrote to memory of 2724 1952 Crypted.exe 33 PID 2724 wrote to memory of 2924 2724 Stage1.exe 34 PID 2724 wrote to memory of 2924 2724 Stage1.exe 34 PID 2724 wrote to memory of 2924 2724 Stage1.exe 34 PID 2724 wrote to memory of 2924 2724 Stage1.exe 34 PID 2724 wrote to memory of 2924 2724 Stage1.exe 34 PID 2724 wrote to memory of 2924 2724 Stage1.exe 34 PID 2724 wrote to memory of 2924 2724 Stage1.exe 34 PID 2924 wrote to memory of 2276 2924 msdcsc.exe 35 PID 2924 wrote to memory of 2276 2924 msdcsc.exe 35 PID 2924 wrote to memory of 2276 2924 msdcsc.exe 35 PID 2924 wrote to memory of 2276 2924 msdcsc.exe 35 PID 2924 wrote to memory of 2276 2924 msdcsc.exe 35 PID 2924 wrote to memory of 2276 2924 msdcsc.exe 35 PID 2924 wrote to memory of 2276 2924 msdcsc.exe 35 PID 2924 wrote to memory of 2276 2924 msdcsc.exe 35 PID 2924 wrote to memory of 2276 2924 msdcsc.exe 35 PID 2924 wrote to memory of 2276 2924 msdcsc.exe 35 PID 2924 wrote to memory of 2276 2924 msdcsc.exe 35 PID 2924 wrote to memory of 2276 2924 msdcsc.exe 35 PID 2924 wrote to memory of 2276 2924 msdcsc.exe 35 PID 2924 wrote to memory of 2276 2924 msdcsc.exe 35 PID 2924 wrote to memory of 2276 2924 msdcsc.exe 35 PID 2924 wrote to memory of 2276 2924 msdcsc.exe 35 PID 2924 wrote to memory of 2276 2924 msdcsc.exe 35 PID 2924 wrote to memory of 2276 2924 msdcsc.exe 35 PID 2924 wrote to memory of 2276 2924 msdcsc.exe 35 PID 2924 wrote to memory of 2276 2924 msdcsc.exe 35 PID 2924 wrote to memory of 2276 2924 msdcsc.exe 35 PID 2924 wrote to memory of 2276 2924 msdcsc.exe 35 PID 2924 wrote to memory of 2276 2924 msdcsc.exe 35 PID 2924 wrote to memory of 2276 2924 msdcsc.exe 35 PID 2924 wrote to memory of 2276 2924 msdcsc.exe 35 PID 2924 wrote to memory of 2276 2924 msdcsc.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\634f31be903d4e65ad8b3a0267a3d6c0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\634f31be903d4e65ad8b3a0267a3d6c0_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1512 -
C:\Users\Admin\AppData\Local\Temp\Crypted.exe"C:\Users\Admin\AppData\Local\Temp\Crypted.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Suspicious use of WriteProcessMemory
PID:1952 -
C:\Users\Admin\AppData\Roaming\Stage2.exe"C:\Users\Admin\AppData\Roaming\Stage2.exe" x -y -oC:\Users\Admin\AppData\Roaming -pxnq8rPMxVI87ciGwWJHxRTy3iauHcIirteOOELv3B5vkS9kJoHBUAahY1dWxj8yA3⤵
- Executes dropped EXE
- Loads dropped DLL
PID:2952
-
-
C:\Users\Admin\AppData\Roaming\Stage1.exe"C:\Users\Admin\AppData\Roaming\Stage1.exe"3⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2724 -
C:\Users\Admin\Desktop\MSDCSC\msdcsc.exe"C:\Users\Admin\Desktop\MSDCSC\msdcsc.exe"4⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2924 -
C:\Windows\SysWOW64\notepad.exenotepad5⤵PID:2276
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
451KB
MD52b2da5103459934a48d05b147766718d
SHA1fe4379b6bee31e3aff9c263cc0020699ac9d0852
SHA25679282f9b6269118fb2c14ab32287a922f836514256fdadaf205ba3efe310722b
SHA512ddeeba5a582719f0df38f33fc5d9fa3f5e4daed972565cfba191f65d9bc6acbb7ba211bed65b5b60ecf3cf8b0abc2759072571d037cb317194ab91a1689093c9
-
Filesize
660KB
MD509bf018f3216c295f4ec053e1a26fd3c
SHA1e4f6dd527077196369343712afacf05a22bbe318
SHA2563990d8a59a7b3df913936b8243d470e1fde8ff214c130e737a7d045633f5680f
SHA512f1e4a3b02308b251e5794b225f5ed395466eef7a14f0c41f69a4cf68df95fe89ab146d4fa3a8e922828c897aa86601c510535126f175de44369f7e8ec9879f60
-
Filesize
357KB
MD52799863078b50af5d28e527841961500
SHA1b74220f377299e42fcdd2c75ca84343958542720
SHA25641aea843d59ffe60ff22328b740519aad8927fdf39f439ec0424ebb615679c33
SHA512bf0685103977c27881cef4abaff777f490349db9ec5bd6f7167f98f390e0baf895af629442c15e0c2578b7b156c772e8ecf8d17917871b06b80828433eb38f14