Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240704-en -
resource tags
arch:x64arch:x86image:win7-20240704-enlocale:en-usos:windows7-x64system -
submitted
26-07-2024 15:02
Static task
static1
Behavioral task
behavioral1
Sample
7489d6d9182cfb315a028a9670a1eaa7_JaffaCakes118.exe
Resource
win7-20240704-en
General
-
Target
7489d6d9182cfb315a028a9670a1eaa7_JaffaCakes118.exe
-
Size
501KB
-
MD5
7489d6d9182cfb315a028a9670a1eaa7
-
SHA1
6248b643e2700e60960d7ea7911926310d6bdb41
-
SHA256
539cb4699daed68cce319ba88bb97ed2211321ab7d8342370bcd958f3de6af38
-
SHA512
8e795753a7818a5818f29586b57750f6e397475299924624d4a27fb9a8c81194bf16b7c6af108dbc4961b222dfe7a3cfedcf8c7be040bde27b3cf6ec485dc4ea
-
SSDEEP
6144:+pnVaARrQbqPwZQU+gr+h8Ug1Dgpfd+5R8Kyt9oXtzYYjsUE+ksQIPSkh7h/SL:Wnka8AHeb405Rt9Je4/Skh9/S
Malware Config
Extracted
darkcomet
Guest16
speeed.zapto.org:15963
speeed.hopto.org:15963
DC_MUTEX-WLBBHZN
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
3Vr9Alq967cJ
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
7489d6d9182cfb315a028a9670a1eaa7_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 7489d6d9182cfb315a028a9670a1eaa7_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 2624 msdcsc.exe -
Loads dropped DLL 2 IoCs
Processes:
7489d6d9182cfb315a028a9670a1eaa7_JaffaCakes118.exepid process 2732 7489d6d9182cfb315a028a9670a1eaa7_JaffaCakes118.exe 2732 7489d6d9182cfb315a028a9670a1eaa7_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
7489d6d9182cfb315a028a9670a1eaa7_JaffaCakes118.exemsdcsc.exeiexplore.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 7489d6d9182cfb315a028a9670a1eaa7_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3434294380-2554721341-1919518612-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" iexplore.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 3 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
7489d6d9182cfb315a028a9670a1eaa7_JaffaCakes118.exemsdcsc.exeiexplore.exedescription ioc process File opened for modification \??\PhysicalDrive0 7489d6d9182cfb315a028a9670a1eaa7_JaffaCakes118.exe File opened for modification \??\PhysicalDrive0 msdcsc.exe File opened for modification \??\PhysicalDrive0 iexplore.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
msdcsc.exedescription pid process target process PID 2624 set thread context of 2604 2624 msdcsc.exe iexplore.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
7489d6d9182cfb315a028a9670a1eaa7_JaffaCakes118.exemsdcsc.exeiexplore.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7489d6d9182cfb315a028a9670a1eaa7_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iexplore.exe -
Modifies registry class 9 IoCs
Processes:
msdcsc.exeiexplore.exe7489d6d9182cfb315a028a9670a1eaa7_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ iexplore.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ 7489d6d9182cfb315a028a9670a1eaa7_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" 7489d6d9182cfb315a028a9670a1eaa7_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Classes\.key\ = "regfile" iexplore.exe Key created \REGISTRY\MACHINE\SOFTWARE\Classes\.key 7489d6d9182cfb315a028a9670a1eaa7_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
7489d6d9182cfb315a028a9670a1eaa7_JaffaCakes118.exemsdcsc.exeiexplore.exedescription pid process Token: SeIncreaseQuotaPrivilege 2732 7489d6d9182cfb315a028a9670a1eaa7_JaffaCakes118.exe Token: SeSecurityPrivilege 2732 7489d6d9182cfb315a028a9670a1eaa7_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 2732 7489d6d9182cfb315a028a9670a1eaa7_JaffaCakes118.exe Token: SeLoadDriverPrivilege 2732 7489d6d9182cfb315a028a9670a1eaa7_JaffaCakes118.exe Token: SeSystemProfilePrivilege 2732 7489d6d9182cfb315a028a9670a1eaa7_JaffaCakes118.exe Token: SeSystemtimePrivilege 2732 7489d6d9182cfb315a028a9670a1eaa7_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 2732 7489d6d9182cfb315a028a9670a1eaa7_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2732 7489d6d9182cfb315a028a9670a1eaa7_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 2732 7489d6d9182cfb315a028a9670a1eaa7_JaffaCakes118.exe Token: SeBackupPrivilege 2732 7489d6d9182cfb315a028a9670a1eaa7_JaffaCakes118.exe Token: SeRestorePrivilege 2732 7489d6d9182cfb315a028a9670a1eaa7_JaffaCakes118.exe Token: SeShutdownPrivilege 2732 7489d6d9182cfb315a028a9670a1eaa7_JaffaCakes118.exe Token: SeDebugPrivilege 2732 7489d6d9182cfb315a028a9670a1eaa7_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 2732 7489d6d9182cfb315a028a9670a1eaa7_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 2732 7489d6d9182cfb315a028a9670a1eaa7_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 2732 7489d6d9182cfb315a028a9670a1eaa7_JaffaCakes118.exe Token: SeUndockPrivilege 2732 7489d6d9182cfb315a028a9670a1eaa7_JaffaCakes118.exe Token: SeManageVolumePrivilege 2732 7489d6d9182cfb315a028a9670a1eaa7_JaffaCakes118.exe Token: SeImpersonatePrivilege 2732 7489d6d9182cfb315a028a9670a1eaa7_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 2732 7489d6d9182cfb315a028a9670a1eaa7_JaffaCakes118.exe Token: 33 2732 7489d6d9182cfb315a028a9670a1eaa7_JaffaCakes118.exe Token: 34 2732 7489d6d9182cfb315a028a9670a1eaa7_JaffaCakes118.exe Token: 35 2732 7489d6d9182cfb315a028a9670a1eaa7_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2624 msdcsc.exe Token: SeSecurityPrivilege 2624 msdcsc.exe Token: SeTakeOwnershipPrivilege 2624 msdcsc.exe Token: SeLoadDriverPrivilege 2624 msdcsc.exe Token: SeSystemProfilePrivilege 2624 msdcsc.exe Token: SeSystemtimePrivilege 2624 msdcsc.exe Token: SeProfSingleProcessPrivilege 2624 msdcsc.exe Token: SeIncBasePriorityPrivilege 2624 msdcsc.exe Token: SeCreatePagefilePrivilege 2624 msdcsc.exe Token: SeBackupPrivilege 2624 msdcsc.exe Token: SeRestorePrivilege 2624 msdcsc.exe Token: SeShutdownPrivilege 2624 msdcsc.exe Token: SeDebugPrivilege 2624 msdcsc.exe Token: SeSystemEnvironmentPrivilege 2624 msdcsc.exe Token: SeChangeNotifyPrivilege 2624 msdcsc.exe Token: SeRemoteShutdownPrivilege 2624 msdcsc.exe Token: SeUndockPrivilege 2624 msdcsc.exe Token: SeManageVolumePrivilege 2624 msdcsc.exe Token: SeImpersonatePrivilege 2624 msdcsc.exe Token: SeCreateGlobalPrivilege 2624 msdcsc.exe Token: 33 2624 msdcsc.exe Token: 34 2624 msdcsc.exe Token: 35 2624 msdcsc.exe Token: SeIncreaseQuotaPrivilege 2604 iexplore.exe Token: SeSecurityPrivilege 2604 iexplore.exe Token: SeTakeOwnershipPrivilege 2604 iexplore.exe Token: SeLoadDriverPrivilege 2604 iexplore.exe Token: SeSystemProfilePrivilege 2604 iexplore.exe Token: SeSystemtimePrivilege 2604 iexplore.exe Token: SeProfSingleProcessPrivilege 2604 iexplore.exe Token: SeIncBasePriorityPrivilege 2604 iexplore.exe Token: SeCreatePagefilePrivilege 2604 iexplore.exe Token: SeBackupPrivilege 2604 iexplore.exe Token: SeRestorePrivilege 2604 iexplore.exe Token: SeShutdownPrivilege 2604 iexplore.exe Token: SeDebugPrivilege 2604 iexplore.exe Token: SeSystemEnvironmentPrivilege 2604 iexplore.exe Token: SeChangeNotifyPrivilege 2604 iexplore.exe Token: SeRemoteShutdownPrivilege 2604 iexplore.exe Token: SeUndockPrivilege 2604 iexplore.exe Token: SeManageVolumePrivilege 2604 iexplore.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
iexplore.exepid process 2604 iexplore.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
7489d6d9182cfb315a028a9670a1eaa7_JaffaCakes118.exemsdcsc.exedescription pid process target process PID 2732 wrote to memory of 2624 2732 7489d6d9182cfb315a028a9670a1eaa7_JaffaCakes118.exe msdcsc.exe PID 2732 wrote to memory of 2624 2732 7489d6d9182cfb315a028a9670a1eaa7_JaffaCakes118.exe msdcsc.exe PID 2732 wrote to memory of 2624 2732 7489d6d9182cfb315a028a9670a1eaa7_JaffaCakes118.exe msdcsc.exe PID 2732 wrote to memory of 2624 2732 7489d6d9182cfb315a028a9670a1eaa7_JaffaCakes118.exe msdcsc.exe PID 2624 wrote to memory of 2604 2624 msdcsc.exe iexplore.exe PID 2624 wrote to memory of 2604 2624 msdcsc.exe iexplore.exe PID 2624 wrote to memory of 2604 2624 msdcsc.exe iexplore.exe PID 2624 wrote to memory of 2604 2624 msdcsc.exe iexplore.exe PID 2624 wrote to memory of 2604 2624 msdcsc.exe iexplore.exe PID 2624 wrote to memory of 2604 2624 msdcsc.exe iexplore.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7489d6d9182cfb315a028a9670a1eaa7_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7489d6d9182cfb315a028a9670a1eaa7_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2624 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:2604
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
501KB
MD57489d6d9182cfb315a028a9670a1eaa7
SHA16248b643e2700e60960d7ea7911926310d6bdb41
SHA256539cb4699daed68cce319ba88bb97ed2211321ab7d8342370bcd958f3de6af38
SHA5128e795753a7818a5818f29586b57750f6e397475299924624d4a27fb9a8c81194bf16b7c6af108dbc4961b222dfe7a3cfedcf8c7be040bde27b3cf6ec485dc4ea