Analysis Overview
SHA256
5e933618f0cca94e548037a4f8e0c3603e1f38175f6bd8085bfb64ed8c5f1a34
Threat Level: Known bad
The file 641eee36a837e78938443a37bdba829f_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Darkcomet
Modifies WinLogon for persistence
UPX packed file
Checks computer location settings
Loads dropped DLL
Executes dropped EXE
Deletes itself
Adds Run key to start application
Suspicious use of SetThreadContext
Enumerates physical storage devices
Unsigned PE
Runs ping.exe
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Suspicious use of SetWindowsHookEx
Modifies registry class
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-07-22 17:33
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-07-22 17:33
Reported
2024-07-22 17:37
Platform
win7-20240708-en
Max time kernel
122s
Max time network
128s
Command Line
Signatures
Darkcomet
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" | C:\Users\Admin\AppData\Local\Temp\641eee36a837e78938443a37bdba829f_JaffaCakes118.exe | N/A |
Deletes itself
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\cmd.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Documents\MSDCSC\msdcsc.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\MSDCSC\msdcsc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\641eee36a837e78938443a37bdba829f_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\641eee36a837e78938443a37bdba829f_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\MSDCSC\msdcsc.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" | C:\Users\Admin\AppData\Local\Temp\641eee36a837e78938443a37bdba829f_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-2958949473-3205530200-1453100116-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" | C:\Users\Admin\Documents\MSDCSC\msdcsc.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2956 set thread context of 2476 | N/A | C:\Users\Admin\AppData\Local\Temp\641eee36a837e78938443a37bdba829f_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\641eee36a837e78938443a37bdba829f_JaffaCakes118.exe |
| PID 2696 set thread context of 2712 | N/A | C:\Users\Admin\Documents\MSDCSC\msdcsc.exe | C:\Users\Admin\Documents\MSDCSC\msdcsc.exe |
| PID 2712 set thread context of 2200 | N/A | C:\Users\Admin\Documents\MSDCSC\msdcsc.exe | C:\Program Files (x86)\Internet Explorer\iexplore.exe |
| PID 2200 set thread context of 2720 | N/A | C:\Program Files (x86)\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\iexplore.exe |
Enumerates physical storage devices
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\641eee36a837e78938443a37bdba829f_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\MSDCSC\msdcsc.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\iexplore.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\641eee36a837e78938443a37bdba829f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\641eee36a837e78938443a37bdba829f_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\641eee36a837e78938443a37bdba829f_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\641eee36a837e78938443a37bdba829f_JaffaCakes118.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Local\Temp\641eee36a837e78938443a37bdba829f_JaffaCakes118.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
Network
Files
memory/2956-2-0x0000000000401000-0x0000000000411000-memory.dmp
memory/2476-5-0x0000000000400000-0x00000000004B6000-memory.dmp
memory/2476-13-0x0000000000400000-0x00000000004B6000-memory.dmp
memory/2476-12-0x0000000000400000-0x00000000004B6000-memory.dmp
memory/2956-11-0x0000000000401000-0x0000000000411000-memory.dmp
memory/2476-10-0x0000000000400000-0x00000000004B6000-memory.dmp
memory/2476-8-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2476-7-0x0000000000400000-0x00000000004B6000-memory.dmp
memory/2476-3-0x0000000000400000-0x00000000004B6000-memory.dmp
memory/2476-14-0x0000000000400000-0x00000000004B6000-memory.dmp
memory/2476-16-0x0000000000400000-0x00000000004B6000-memory.dmp
memory/2476-15-0x0000000000400000-0x00000000004B6000-memory.dmp
memory/2476-17-0x0000000000400000-0x00000000004B6000-memory.dmp
\Users\Admin\Documents\MSDCSC\msdcsc.exe
| MD5 | 641eee36a837e78938443a37bdba829f |
| SHA1 | 6a270b234c96d1102ede2082ad51a7c9285c749b |
| SHA256 | 5e933618f0cca94e548037a4f8e0c3603e1f38175f6bd8085bfb64ed8c5f1a34 |
| SHA512 | 2e0059582be9648d2bb7143d17d179a335537cebfcef18037a84823d65e01d9b202a4b6d495443a386dab7b7e39b7251bf86640ea351eda070b813e9997ef29c |
memory/2476-30-0x0000000000400000-0x00000000004B6000-memory.dmp
memory/2712-46-0x0000000000400000-0x00000000004B6000-memory.dmp
memory/2712-45-0x0000000000400000-0x00000000004B6000-memory.dmp
memory/2712-44-0x0000000000400000-0x00000000004B6000-memory.dmp
memory/2712-47-0x0000000000400000-0x00000000004B6000-memory.dmp
memory/2712-52-0x0000000000400000-0x00000000004B6000-memory.dmp
memory/2200-48-0x0000000000400000-0x0000000000479000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-07-22 17:33
Reported
2024-07-22 17:36
Platform
win10v2004-20240709-en
Max time kernel
150s
Max time network
148s
Command Line
Signatures
Darkcomet
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" | C:\Users\Admin\AppData\Local\Temp\641eee36a837e78938443a37bdba829f_JaffaCakes118.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\641eee36a837e78938443a37bdba829f_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\Documents\MSDCSC\msdcsc.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\MSDCSC\msdcsc.exe | N/A |
UPX packed file
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
| N/A | N/A | N/A | N/A |
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" | C:\Users\Admin\AppData\Local\Temp\641eee36a837e78938443a37bdba829f_JaffaCakes118.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" | C:\Users\Admin\Documents\MSDCSC\msdcsc.exe | N/A |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3419463127-3903270268-2580331543-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" | C:\Program Files (x86)\Internet Explorer\iexplore.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2832 set thread context of 3624 | N/A | C:\Users\Admin\AppData\Local\Temp\641eee36a837e78938443a37bdba829f_JaffaCakes118.exe | C:\Users\Admin\AppData\Local\Temp\641eee36a837e78938443a37bdba829f_JaffaCakes118.exe |
| PID 1244 set thread context of 3644 | N/A | C:\Users\Admin\Documents\MSDCSC\msdcsc.exe | C:\Users\Admin\Documents\MSDCSC\msdcsc.exe |
| PID 3644 set thread context of 3828 | N/A | C:\Users\Admin\Documents\MSDCSC\msdcsc.exe | C:\Program Files (x86)\Internet Explorer\iexplore.exe |
| PID 3828 set thread context of 1624 | N/A | C:\Program Files (x86)\Internet Explorer\iexplore.exe | C:\Program Files (x86)\Internet Explorer\iexplore.exe |
Enumerates physical storage devices
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Users\Admin\AppData\Local\Temp\641eee36a837e78938443a37bdba829f_JaffaCakes118.exe | N/A |
Runs ping.exe
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\PING.EXE | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of SetWindowsHookEx
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\641eee36a837e78938443a37bdba829f_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Users\Admin\Documents\MSDCSC\msdcsc.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\iexplore.exe | N/A |
| N/A | N/A | C:\Program Files (x86)\Internet Explorer\iexplore.exe | N/A |
Suspicious use of WriteProcessMemory
Processes
C:\Users\Admin\AppData\Local\Temp\641eee36a837e78938443a37bdba829f_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\641eee36a837e78938443a37bdba829f_JaffaCakes118.exe"
C:\Users\Admin\AppData\Local\Temp\641eee36a837e78938443a37bdba829f_JaffaCakes118.exe
C:\Users\Admin\AppData\Local\Temp\641eee36a837e78938443a37bdba829f_JaffaCakes118.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Local\Temp\641eee36a837e78938443a37bdba829f_JaffaCakes118.exe"
C:\Windows\SysWOW64\PING.EXE
ping 127.0.0.1 -n 4
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
C:\Program Files (x86)\Internet Explorer\iexplore.exe
"C:\Program Files (x86)\Internet Explorer\iexplore.exe"
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | 209.205.72.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 0.205.248.87.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 134.32.126.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | exxplorerr.no-ip.biz | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 57.169.31.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | exxplorerr.no-ip.biz | udp |
| US | 8.8.8.8:53 | exxplorerr.no-ip.biz | udp |
| US | 8.8.8.8:53 | 183.142.211.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | exxplorerr.no-ip.biz | udp |
| US | 8.8.8.8:53 | exxplorerr.no-ip.biz | udp |
| US | 8.8.8.8:53 | exxplorerr.no-ip.biz | udp |
| US | 8.8.8.8:53 | 103.169.127.40.in-addr.arpa | udp |
| US | 8.8.8.8:53 | exxplorerr.no-ip.biz | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 147.142.123.92.in-addr.arpa | udp |
| US | 8.8.8.8:53 | exxplorerr.no-ip.biz | udp |
| US | 8.8.8.8:53 | exxplorerr.no-ip.biz | udp |
| US | 8.8.8.8:53 | exxplorerr.no-ip.biz | udp |
| US | 8.8.8.8:53 | exxplorerr.no-ip.biz | udp |
| US | 8.8.8.8:53 | exxplorerr.no-ip.biz | udp |
| US | 8.8.8.8:53 | exxplorerr.no-ip.biz | udp |
| US | 8.8.8.8:53 | 19.58.20.217.in-addr.arpa | udp |
| US | 8.8.8.8:53 | exxplorerr.no-ip.biz | udp |
| US | 8.8.8.8:53 | 26.35.223.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | exxplorerr.no-ip.biz | udp |
| US | 8.8.8.8:53 | exxplorerr.no-ip.biz | udp |
| US | 8.8.8.8:53 | exxplorerr.no-ip.biz | udp |
| US | 8.8.8.8:53 | exxplorerr.no-ip.biz | udp |
| US | 8.8.8.8:53 | exxplorerr.no-ip.biz | udp |
| US | 8.8.8.8:53 | 13.227.111.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | exxplorerr.no-ip.biz | udp |
| US | 8.8.8.8:53 | exxplorerr.no-ip.biz | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.27.10:443 | tse1.mm.bing.net | tcp |
| US | 8.8.8.8:53 | exxplorerr.no-ip.biz | udp |
| US | 8.8.8.8:53 | exxplorerr.no-ip.biz | udp |
| US | 8.8.8.8:53 | exxplorerr.no-ip.biz | udp |
| US | 8.8.8.8:53 | exxplorerr.no-ip.biz | udp |
| US | 8.8.8.8:53 | exxplorerr.no-ip.biz | udp |
| US | 8.8.8.8:53 | exxplorerr.no-ip.biz | udp |
| US | 8.8.8.8:53 | exxplorerr.no-ip.biz | udp |
| US | 8.8.8.8:53 | exxplorerr.no-ip.biz | udp |
| US | 8.8.8.8:53 | exxplorerr.no-ip.biz | udp |
Files
memory/2832-2-0x0000000000401000-0x0000000000411000-memory.dmp
memory/3624-3-0x0000000000400000-0x00000000004B6000-memory.dmp
memory/3624-4-0x0000000000400000-0x00000000004B6000-memory.dmp
memory/2832-5-0x0000000000401000-0x0000000000411000-memory.dmp
memory/3624-6-0x0000000000400000-0x00000000004B6000-memory.dmp
memory/3624-7-0x0000000000400000-0x00000000004B6000-memory.dmp
memory/3624-8-0x0000000000400000-0x00000000004B6000-memory.dmp
memory/3624-9-0x0000000000400000-0x00000000004B6000-memory.dmp
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe
| MD5 | 641eee36a837e78938443a37bdba829f |
| SHA1 | 6a270b234c96d1102ede2082ad51a7c9285c749b |
| SHA256 | 5e933618f0cca94e548037a4f8e0c3603e1f38175f6bd8085bfb64ed8c5f1a34 |
| SHA512 | 2e0059582be9648d2bb7143d17d179a335537cebfcef18037a84823d65e01d9b202a4b6d495443a386dab7b7e39b7251bf86640ea351eda070b813e9997ef29c |
memory/3624-70-0x0000000000400000-0x00000000004B6000-memory.dmp
memory/1244-78-0x0000000000400000-0x0000000000479000-memory.dmp
memory/3644-81-0x0000000000400000-0x00000000004B6000-memory.dmp
memory/3644-80-0x0000000000400000-0x00000000004B6000-memory.dmp
memory/3644-79-0x0000000000400000-0x00000000004B6000-memory.dmp
memory/3644-84-0x0000000000400000-0x00000000004B6000-memory.dmp
memory/3828-83-0x0000000000400000-0x0000000000479000-memory.dmp
memory/3644-82-0x0000000000400000-0x00000000004B6000-memory.dmp