Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240709-en -
resource tags
arch:x64arch:x86image:win10v2004-20240709-enlocale:en-usos:windows10-2004-x64system -
submitted
23/07/2024, 19:28
Behavioral task
behavioral1
Sample
689d3b376444629b2db7f4f4bbf194b0_JaffaCakes118.exe
Resource
win7-20240705-en
windows7-x64
22 signatures
150 seconds
General
-
Target
689d3b376444629b2db7f4f4bbf194b0_JaffaCakes118.exe
-
Size
601KB
-
MD5
689d3b376444629b2db7f4f4bbf194b0
-
SHA1
89361e65979066937b7d24720ac8e5a107cfc60e
-
SHA256
57e57b8eefd5a9f717396871df8bb5572ec6b94ab0985a551c838414317bebda
-
SHA512
94831e1a8625c8c11ff30a68870ddea0a71dcfbf1667939b12f6432ec0dfd66a609a51dd5008e15a381bc4632bb6940ed85abdcea48e505b5f78cb20ba8c9c61
-
SSDEEP
12288:v6Wq4aaE6KwyF5L0Y2D1PqL2OlxFzU+RaO0kxDRu0h1nGiJdZttE37U6I:tthEVaPqL2OlXPfLNhPGgdleI
Malware Config
Extracted
Family
darkcomet
Botnet
Guest16
C2
127.0.0.1:1604
Mutex
DC_MUTEX-F54S21D
Attributes
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
HAC9L4KeLiZp
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" server.exe -
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msdcsc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msdcsc.exe -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" msdcsc.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" msdcsc.exe -
Disables Task Manager via registry modification
-
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 1668 attrib.exe 3152 attrib.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\Control Panel\International\Geo\Nation server.exe -
Executes dropped EXE 2 IoCs
pid Process 2176 server.exe 3468 msdcsc.exe -
resource yara_rule behavioral2/memory/2244-0-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/files/0x0007000000023437-8.dat upx behavioral2/memory/2176-9-0x0000000000400000-0x00000000004EA000-memory.dmp upx behavioral2/memory/2244-10-0x0000000000400000-0x00000000004C2000-memory.dmp upx behavioral2/memory/2176-73-0x0000000000400000-0x00000000004EA000-memory.dmp upx behavioral2/memory/3468-75-0x0000000000400000-0x00000000004EA000-memory.dmp upx behavioral2/memory/3468-76-0x0000000000400000-0x00000000004EA000-memory.dmp upx behavioral2/memory/3468-77-0x0000000000400000-0x00000000004EA000-memory.dmp upx behavioral2/memory/3468-79-0x0000000000400000-0x00000000004EA000-memory.dmp upx behavioral2/memory/3468-80-0x0000000000400000-0x00000000004EA000-memory.dmp upx behavioral2/memory/3468-81-0x0000000000400000-0x00000000004EA000-memory.dmp upx behavioral2/memory/3468-82-0x0000000000400000-0x00000000004EA000-memory.dmp upx behavioral2/memory/3468-83-0x0000000000400000-0x00000000004EA000-memory.dmp upx behavioral2/memory/3468-84-0x0000000000400000-0x00000000004EA000-memory.dmp upx behavioral2/memory/3468-88-0x0000000000400000-0x00000000004EA000-memory.dmp upx -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2650514177-1034912467-4025611726-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" server.exe -
AutoIT Executable 1 IoCs
AutoIT scripts compiled to PE executables.
resource yara_rule behavioral2/memory/2244-10-0x0000000000400000-0x00000000004C2000-memory.dmp autoit_exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 689d3b376444629b2db7f4f4bbf194b0_JaffaCakes118.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ server.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3468 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2176 server.exe Token: SeSecurityPrivilege 2176 server.exe Token: SeTakeOwnershipPrivilege 2176 server.exe Token: SeLoadDriverPrivilege 2176 server.exe Token: SeSystemProfilePrivilege 2176 server.exe Token: SeSystemtimePrivilege 2176 server.exe Token: SeProfSingleProcessPrivilege 2176 server.exe Token: SeIncBasePriorityPrivilege 2176 server.exe Token: SeCreatePagefilePrivilege 2176 server.exe Token: SeBackupPrivilege 2176 server.exe Token: SeRestorePrivilege 2176 server.exe Token: SeShutdownPrivilege 2176 server.exe Token: SeDebugPrivilege 2176 server.exe Token: SeSystemEnvironmentPrivilege 2176 server.exe Token: SeChangeNotifyPrivilege 2176 server.exe Token: SeRemoteShutdownPrivilege 2176 server.exe Token: SeUndockPrivilege 2176 server.exe Token: SeManageVolumePrivilege 2176 server.exe Token: SeImpersonatePrivilege 2176 server.exe Token: SeCreateGlobalPrivilege 2176 server.exe Token: 33 2176 server.exe Token: 34 2176 server.exe Token: 35 2176 server.exe Token: 36 2176 server.exe Token: SeIncreaseQuotaPrivilege 3468 msdcsc.exe Token: SeSecurityPrivilege 3468 msdcsc.exe Token: SeTakeOwnershipPrivilege 3468 msdcsc.exe Token: SeLoadDriverPrivilege 3468 msdcsc.exe Token: SeSystemProfilePrivilege 3468 msdcsc.exe Token: SeSystemtimePrivilege 3468 msdcsc.exe Token: SeProfSingleProcessPrivilege 3468 msdcsc.exe Token: SeIncBasePriorityPrivilege 3468 msdcsc.exe Token: SeCreatePagefilePrivilege 3468 msdcsc.exe Token: SeBackupPrivilege 3468 msdcsc.exe Token: SeRestorePrivilege 3468 msdcsc.exe Token: SeShutdownPrivilege 3468 msdcsc.exe Token: SeDebugPrivilege 3468 msdcsc.exe Token: SeSystemEnvironmentPrivilege 3468 msdcsc.exe Token: SeChangeNotifyPrivilege 3468 msdcsc.exe Token: SeRemoteShutdownPrivilege 3468 msdcsc.exe Token: SeUndockPrivilege 3468 msdcsc.exe Token: SeManageVolumePrivilege 3468 msdcsc.exe Token: SeImpersonatePrivilege 3468 msdcsc.exe Token: SeCreateGlobalPrivilege 3468 msdcsc.exe Token: 33 3468 msdcsc.exe Token: 34 3468 msdcsc.exe Token: 35 3468 msdcsc.exe Token: 36 3468 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3468 msdcsc.exe -
Suspicious use of WriteProcessMemory 40 IoCs
description pid Process procid_target PID 2244 wrote to memory of 2176 2244 689d3b376444629b2db7f4f4bbf194b0_JaffaCakes118.exe 86 PID 2244 wrote to memory of 2176 2244 689d3b376444629b2db7f4f4bbf194b0_JaffaCakes118.exe 86 PID 2244 wrote to memory of 2176 2244 689d3b376444629b2db7f4f4bbf194b0_JaffaCakes118.exe 86 PID 2176 wrote to memory of 220 2176 server.exe 88 PID 2176 wrote to memory of 220 2176 server.exe 88 PID 2176 wrote to memory of 220 2176 server.exe 88 PID 2176 wrote to memory of 4484 2176 server.exe 90 PID 2176 wrote to memory of 4484 2176 server.exe 90 PID 2176 wrote to memory of 4484 2176 server.exe 90 PID 220 wrote to memory of 1668 220 cmd.exe 92 PID 220 wrote to memory of 1668 220 cmd.exe 92 PID 220 wrote to memory of 1668 220 cmd.exe 92 PID 4484 wrote to memory of 3152 4484 cmd.exe 93 PID 4484 wrote to memory of 3152 4484 cmd.exe 93 PID 4484 wrote to memory of 3152 4484 cmd.exe 93 PID 2176 wrote to memory of 3468 2176 server.exe 94 PID 2176 wrote to memory of 3468 2176 server.exe 94 PID 2176 wrote to memory of 3468 2176 server.exe 94 PID 3468 wrote to memory of 640 3468 msdcsc.exe 95 PID 3468 wrote to memory of 640 3468 msdcsc.exe 95 PID 3468 wrote to memory of 640 3468 msdcsc.exe 95 PID 3468 wrote to memory of 640 3468 msdcsc.exe 95 PID 3468 wrote to memory of 640 3468 msdcsc.exe 95 PID 3468 wrote to memory of 640 3468 msdcsc.exe 95 PID 3468 wrote to memory of 640 3468 msdcsc.exe 95 PID 3468 wrote to memory of 640 3468 msdcsc.exe 95 PID 3468 wrote to memory of 640 3468 msdcsc.exe 95 PID 3468 wrote to memory of 640 3468 msdcsc.exe 95 PID 3468 wrote to memory of 640 3468 msdcsc.exe 95 PID 3468 wrote to memory of 640 3468 msdcsc.exe 95 PID 3468 wrote to memory of 640 3468 msdcsc.exe 95 PID 3468 wrote to memory of 640 3468 msdcsc.exe 95 PID 3468 wrote to memory of 640 3468 msdcsc.exe 95 PID 3468 wrote to memory of 640 3468 msdcsc.exe 95 PID 3468 wrote to memory of 640 3468 msdcsc.exe 95 PID 3468 wrote to memory of 640 3468 msdcsc.exe 95 PID 3468 wrote to memory of 640 3468 msdcsc.exe 95 PID 3468 wrote to memory of 640 3468 msdcsc.exe 95 PID 3468 wrote to memory of 640 3468 msdcsc.exe 95 PID 3468 wrote to memory of 640 3468 msdcsc.exe 95 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" msdcsc.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 1668 attrib.exe 3152 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\689d3b376444629b2db7f4f4bbf194b0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\689d3b376444629b2db7f4f4bbf194b0_JaffaCakes118.exe"1⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2244 -
C:\Users\Admin\AppData\Local\Temp\server.exeC:\Users\Admin\AppData\Local\Temp/server.exe2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2176 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\server.exe" +s +h3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:220 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\server.exe" +s +h4⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1668
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4484 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h4⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:3152
-
-
-
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"3⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:3468 -
C:\Windows\SysWOW64\notepad.exenotepad4⤵
- System Location Discovery: System Language Discovery
PID:640
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
3Disable or Modify System Firewall
1Disable or Modify Tools
2Modify Registry
7Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
350KB
MD5703726645e1058094b2abe2f9035594d
SHA14aa275e9e07f109bce29372587d68102bc050655
SHA25622715fa9b5938490bf9dc60ee6d75c4e058447b884d619be2e40f7abf8e22777
SHA5126629e678b63be102d545174a8b9fa5aed98380e9edbd39fd0ca328044462bb971842d395bfcb504508a2cfba19438f2df8acb279f8864443e502d3e40ca2910a