Analysis
-
max time kernel
149s -
max time network
146s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
22/07/2024, 13:13
Static task
static1
Behavioral task
behavioral1
Sample
634f31be903d4e65ad8b3a0267a3d6c0_JaffaCakes118.exe
Resource
win7-20240704-en
General
-
Target
634f31be903d4e65ad8b3a0267a3d6c0_JaffaCakes118.exe
-
Size
520KB
-
MD5
634f31be903d4e65ad8b3a0267a3d6c0
-
SHA1
ba059c4291ed67ce276bf9632ff81755fb70caa6
-
SHA256
816b8d84c864ab7ff7b322971b3aa3f9528889316b47d5ebefbc01bd9afe5fc7
-
SHA512
3778542923cd0b5acc7b65492472ce4564fe54319bbbd96c095527b811b9a42c77407fff61fe02a5db54e64b5ad7a1b5de1d163d3cbaa094ce63ef39b5fdf74b
-
SSDEEP
12288:G1kfgjd1A6jNaylJqJL0VLlmHd/cN+brXrWtTyFSCS:lgjk6jNaylU0Vg9/cN+XraaS
Malware Config
Extracted
darkcomet
retard
parafron.no-ip.biz:100
DC_MUTEX-NCUYYDW
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
H30PstbcYkSt
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Desktop\\MSDCSC\\msdcsc.exe" Stage1.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" msdcsc.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation 634f31be903d4e65ad8b3a0267a3d6c0_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation Crypted.exe Key value queried \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\Control Panel\International\Geo\Nation Stage1.exe -
Executes dropped EXE 4 IoCs
pid Process 1536 Crypted.exe 4952 Stage2.exe 4780 Stage1.exe 1056 msdcsc.exe -
resource yara_rule behavioral2/files/0x00070000000234ae-15.dat upx behavioral2/memory/4952-22-0x0000000000400000-0x0000000000443000-memory.dmp upx behavioral2/memory/4952-27-0x0000000000400000-0x0000000000443000-memory.dmp upx -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Desktop\\MSDCSC\\msdcsc.exe" Stage1.exe Set value (str) \REGISTRY\USER\S-1-5-21-1750093773-264148664-1320403265-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Desktop\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 4780 Stage1.exe Token: SeSecurityPrivilege 4780 Stage1.exe Token: SeTakeOwnershipPrivilege 4780 Stage1.exe Token: SeLoadDriverPrivilege 4780 Stage1.exe Token: SeSystemProfilePrivilege 4780 Stage1.exe Token: SeSystemtimePrivilege 4780 Stage1.exe Token: SeProfSingleProcessPrivilege 4780 Stage1.exe Token: SeIncBasePriorityPrivilege 4780 Stage1.exe Token: SeCreatePagefilePrivilege 4780 Stage1.exe Token: SeBackupPrivilege 4780 Stage1.exe Token: SeRestorePrivilege 4780 Stage1.exe Token: SeShutdownPrivilege 4780 Stage1.exe Token: SeDebugPrivilege 4780 Stage1.exe Token: SeSystemEnvironmentPrivilege 4780 Stage1.exe Token: SeChangeNotifyPrivilege 4780 Stage1.exe Token: SeRemoteShutdownPrivilege 4780 Stage1.exe Token: SeUndockPrivilege 4780 Stage1.exe Token: SeManageVolumePrivilege 4780 Stage1.exe Token: SeImpersonatePrivilege 4780 Stage1.exe Token: SeCreateGlobalPrivilege 4780 Stage1.exe Token: 33 4780 Stage1.exe Token: 34 4780 Stage1.exe Token: 35 4780 Stage1.exe Token: 36 4780 Stage1.exe Token: SeIncreaseQuotaPrivilege 1056 msdcsc.exe Token: SeSecurityPrivilege 1056 msdcsc.exe Token: SeTakeOwnershipPrivilege 1056 msdcsc.exe Token: SeLoadDriverPrivilege 1056 msdcsc.exe Token: SeSystemProfilePrivilege 1056 msdcsc.exe Token: SeSystemtimePrivilege 1056 msdcsc.exe Token: SeProfSingleProcessPrivilege 1056 msdcsc.exe Token: SeIncBasePriorityPrivilege 1056 msdcsc.exe Token: SeCreatePagefilePrivilege 1056 msdcsc.exe Token: SeBackupPrivilege 1056 msdcsc.exe Token: SeRestorePrivilege 1056 msdcsc.exe Token: SeShutdownPrivilege 1056 msdcsc.exe Token: SeDebugPrivilege 1056 msdcsc.exe Token: SeSystemEnvironmentPrivilege 1056 msdcsc.exe Token: SeChangeNotifyPrivilege 1056 msdcsc.exe Token: SeRemoteShutdownPrivilege 1056 msdcsc.exe Token: SeUndockPrivilege 1056 msdcsc.exe Token: SeManageVolumePrivilege 1056 msdcsc.exe Token: SeImpersonatePrivilege 1056 msdcsc.exe Token: SeCreateGlobalPrivilege 1056 msdcsc.exe Token: 33 1056 msdcsc.exe Token: 34 1056 msdcsc.exe Token: 35 1056 msdcsc.exe Token: 36 1056 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1056 msdcsc.exe -
Suspicious use of WriteProcessMemory 34 IoCs
description pid Process procid_target PID 2836 wrote to memory of 1536 2836 634f31be903d4e65ad8b3a0267a3d6c0_JaffaCakes118.exe 86 PID 2836 wrote to memory of 1536 2836 634f31be903d4e65ad8b3a0267a3d6c0_JaffaCakes118.exe 86 PID 2836 wrote to memory of 1536 2836 634f31be903d4e65ad8b3a0267a3d6c0_JaffaCakes118.exe 86 PID 1536 wrote to memory of 4952 1536 Crypted.exe 87 PID 1536 wrote to memory of 4952 1536 Crypted.exe 87 PID 1536 wrote to memory of 4952 1536 Crypted.exe 87 PID 1536 wrote to memory of 4780 1536 Crypted.exe 92 PID 1536 wrote to memory of 4780 1536 Crypted.exe 92 PID 1536 wrote to memory of 4780 1536 Crypted.exe 92 PID 4780 wrote to memory of 1056 4780 Stage1.exe 93 PID 4780 wrote to memory of 1056 4780 Stage1.exe 93 PID 4780 wrote to memory of 1056 4780 Stage1.exe 93 PID 1056 wrote to memory of 3416 1056 msdcsc.exe 94 PID 1056 wrote to memory of 3416 1056 msdcsc.exe 94 PID 1056 wrote to memory of 3416 1056 msdcsc.exe 94 PID 1056 wrote to memory of 3416 1056 msdcsc.exe 94 PID 1056 wrote to memory of 3416 1056 msdcsc.exe 94 PID 1056 wrote to memory of 3416 1056 msdcsc.exe 94 PID 1056 wrote to memory of 3416 1056 msdcsc.exe 94 PID 1056 wrote to memory of 3416 1056 msdcsc.exe 94 PID 1056 wrote to memory of 3416 1056 msdcsc.exe 94 PID 1056 wrote to memory of 3416 1056 msdcsc.exe 94 PID 1056 wrote to memory of 3416 1056 msdcsc.exe 94 PID 1056 wrote to memory of 3416 1056 msdcsc.exe 94 PID 1056 wrote to memory of 3416 1056 msdcsc.exe 94 PID 1056 wrote to memory of 3416 1056 msdcsc.exe 94 PID 1056 wrote to memory of 3416 1056 msdcsc.exe 94 PID 1056 wrote to memory of 3416 1056 msdcsc.exe 94 PID 1056 wrote to memory of 3416 1056 msdcsc.exe 94 PID 1056 wrote to memory of 3416 1056 msdcsc.exe 94 PID 1056 wrote to memory of 3416 1056 msdcsc.exe 94 PID 1056 wrote to memory of 3416 1056 msdcsc.exe 94 PID 1056 wrote to memory of 3416 1056 msdcsc.exe 94 PID 1056 wrote to memory of 3416 1056 msdcsc.exe 94
Processes
-
C:\Users\Admin\AppData\Local\Temp\634f31be903d4e65ad8b3a0267a3d6c0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\634f31be903d4e65ad8b3a0267a3d6c0_JaffaCakes118.exe"1⤵
- Checks computer location settings
- Suspicious use of WriteProcessMemory
PID:2836 -
C:\Users\Admin\AppData\Local\Temp\Crypted.exe"C:\Users\Admin\AppData\Local\Temp\Crypted.exe"2⤵
- Checks computer location settings
- Executes dropped EXE
- Suspicious use of WriteProcessMemory
PID:1536 -
C:\Users\Admin\AppData\Roaming\Stage2.exe"C:\Users\Admin\AppData\Roaming\Stage2.exe" x -y -oC:\Users\Admin\AppData\Roaming -pxnq8rPMxVI87ciGwWJHxRTy3iauHcIirteOOELv3B5vkS9kJoHBUAahY1dWxj8yA3⤵
- Executes dropped EXE
PID:4952
-
-
C:\Users\Admin\AppData\Roaming\Stage1.exe"C:\Users\Admin\AppData\Roaming\Stage1.exe"3⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4780 -
C:\Users\Admin\Desktop\MSDCSC\msdcsc.exe"C:\Users\Admin\Desktop\MSDCSC\msdcsc.exe"4⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1056 -
C:\Windows\SysWOW64\notepad.exenotepad5⤵PID:3416
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
451KB
MD52b2da5103459934a48d05b147766718d
SHA1fe4379b6bee31e3aff9c263cc0020699ac9d0852
SHA25679282f9b6269118fb2c14ab32287a922f836514256fdadaf205ba3efe310722b
SHA512ddeeba5a582719f0df38f33fc5d9fa3f5e4daed972565cfba191f65d9bc6acbb7ba211bed65b5b60ecf3cf8b0abc2759072571d037cb317194ab91a1689093c9
-
Filesize
660KB
MD509bf018f3216c295f4ec053e1a26fd3c
SHA1e4f6dd527077196369343712afacf05a22bbe318
SHA2563990d8a59a7b3df913936b8243d470e1fde8ff214c130e737a7d045633f5680f
SHA512f1e4a3b02308b251e5794b225f5ed395466eef7a14f0c41f69a4cf68df95fe89ab146d4fa3a8e922828c897aa86601c510535126f175de44369f7e8ec9879f60
-
Filesize
357KB
MD52799863078b50af5d28e527841961500
SHA1b74220f377299e42fcdd2c75ca84343958542720
SHA25641aea843d59ffe60ff22328b740519aad8927fdf39f439ec0424ebb615679c33
SHA512bf0685103977c27881cef4abaff777f490349db9ec5bd6f7167f98f390e0baf895af629442c15e0c2578b7b156c772e8ecf8d17917871b06b80828433eb38f14