Analysis
-
max time kernel
37s -
max time network
38s -
platform
windows10-1703_x64 -
resource
win10-20240611-en -
resource tags
arch:x64arch:x86image:win10-20240611-enlocale:en-usos:windows10-1703-x64system -
submitted
31-07-2024 19:45
Static task
static1
General
-
Target
7d9512b4df2dd9a08b99bb5d4f644a1b_JaffaCakes118.exe
-
Size
379KB
-
MD5
7d9512b4df2dd9a08b99bb5d4f644a1b
-
SHA1
1972b0cdc54764b5df7fb94176bca0f8d812fe2c
-
SHA256
6da662c998ef51d63aba6cccdf510e7e584b4d8505e2fa0dbe19a70632dba4c6
-
SHA512
4d71364bab0946cc892a36a0bb85f2f68f17d7c958e8427e78666063674fdfd5dd81c5b01be90f9a1a48c9f476e80ad219b1e9a37aa696dac63877dced66d815
-
SSDEEP
6144:CovtRpmsVeVTPuoEW2pAFNOGkR4nZg7Yf1YbE5lCJ8IIQaJ6a7a2CEbxBqirpRO1:CqtONjhEW5FNeR4ZG76lzIIRJ6u4EFou
Malware Config
Extracted
darkcomet
Guest16
smr9.no-ip.org:1604
DC_MUTEX-NJSZLY8
-
InstallPath
MSDCSC\lsass.exe
-
gencode
6xtSkc229rlk
-
install
true
-
offline_keylogger
false
-
password
123456
-
persistence
true
-
reg_key
lsass.exe
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
7d9512b4df2dd9a08b99bb5d4f644a1b_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\MSDCSC\\lsass.exe" 7d9512b4df2dd9a08b99bb5d4f644a1b_JaffaCakes118.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
7d9512b4df2dd9a08b99bb5d4f644a1b_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Control Panel\International\Geo\Nation 7d9512b4df2dd9a08b99bb5d4f644a1b_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
Processes:
lsass.exepid process 208 lsass.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
7d9512b4df2dd9a08b99bb5d4f644a1b_JaffaCakes118.exelsass.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass.exe = "C:\\MSDCSC\\lsass.exe" 7d9512b4df2dd9a08b99bb5d4f644a1b_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Windows\CurrentVersion\Run\lsass.exe = "C:\\MSDCSC\\lsass.exe" lsass.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
7d9512b4df2dd9a08b99bb5d4f644a1b_JaffaCakes118.exelsass.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7d9512b4df2dd9a08b99bb5d4f644a1b_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lsass.exe -
Processes:
PaintStudio.View.exedescription ioc process Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\LowRegistry\Shell Extensions PaintStudio.View.exe Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\LowRegistry\Shell Extensions\Cached PaintStudio.View.exe Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000\Software\Microsoft\Internet Explorer\LowRegistry PaintStudio.View.exe -
Modifies registry class 13 IoCs
Processes:
7d9512b4df2dd9a08b99bb5d4f644a1b_JaffaCakes118.exePaintStudio.View.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance 7d9512b4df2dd9a08b99bb5d4f644a1b_JaffaCakes118.exe Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Content PaintStudio.View.exe Set value (int) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Content\CacheLimit = "51200" PaintStudio.View.exe Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Cookies PaintStudio.View.exe Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache PaintStudio.View.exe Set value (str) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CachePrefix = "Cookie:" PaintStudio.View.exe Set value (int) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Cookies\CacheLimit = "1" PaintStudio.View.exe Set value (int) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\History\CacheLimit = "1" PaintStudio.View.exe Set value (str) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Content\CachePrefix PaintStudio.View.exe Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings PaintStudio.View.exe Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\Extensible Cache PaintStudio.View.exe Key created \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\History PaintStudio.View.exe Set value (str) \REGISTRY\USER\S-1-5-21-1453213197-474736321-1741884505-1000_Classes\Local Settings\Software\Microsoft\Windows\CurrentVersion\AppContainer\Storage\microsoft.mspaint_8wekyb3d8bbwe\Internet Settings\Cache\History\CachePrefix = "Visited:" PaintStudio.View.exe -
Suspicious behavior: AddClipboardFormatListener 1 IoCs
Processes:
PaintStudio.View.exepid process 4388 PaintStudio.View.exe -
Suspicious behavior: EnumeratesProcesses 37 IoCs
Processes:
mspaint.exePaintStudio.View.exepid process 4936 mspaint.exe 4936 mspaint.exe 4388 PaintStudio.View.exe 4388 PaintStudio.View.exe 4388 PaintStudio.View.exe 4388 PaintStudio.View.exe 4388 PaintStudio.View.exe 4388 PaintStudio.View.exe 4388 PaintStudio.View.exe 4388 PaintStudio.View.exe 4388 PaintStudio.View.exe 4388 PaintStudio.View.exe 4388 PaintStudio.View.exe 4388 PaintStudio.View.exe 4388 PaintStudio.View.exe 4388 PaintStudio.View.exe 4388 PaintStudio.View.exe 4388 PaintStudio.View.exe 4388 PaintStudio.View.exe 4388 PaintStudio.View.exe 4388 PaintStudio.View.exe 4388 PaintStudio.View.exe 4388 PaintStudio.View.exe 4388 PaintStudio.View.exe 4388 PaintStudio.View.exe 4388 PaintStudio.View.exe 4388 PaintStudio.View.exe 4388 PaintStudio.View.exe 4388 PaintStudio.View.exe 4388 PaintStudio.View.exe 4388 PaintStudio.View.exe 4388 PaintStudio.View.exe 4388 PaintStudio.View.exe 4388 PaintStudio.View.exe 4388 PaintStudio.View.exe 4388 PaintStudio.View.exe 4388 PaintStudio.View.exe -
Suspicious use of AdjustPrivilegeToken 51 IoCs
Processes:
7d9512b4df2dd9a08b99bb5d4f644a1b_JaffaCakes118.exelsass.exePaintStudio.View.exedescription pid process Token: SeIncreaseQuotaPrivilege 4764 7d9512b4df2dd9a08b99bb5d4f644a1b_JaffaCakes118.exe Token: SeSecurityPrivilege 4764 7d9512b4df2dd9a08b99bb5d4f644a1b_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 4764 7d9512b4df2dd9a08b99bb5d4f644a1b_JaffaCakes118.exe Token: SeLoadDriverPrivilege 4764 7d9512b4df2dd9a08b99bb5d4f644a1b_JaffaCakes118.exe Token: SeSystemProfilePrivilege 4764 7d9512b4df2dd9a08b99bb5d4f644a1b_JaffaCakes118.exe Token: SeSystemtimePrivilege 4764 7d9512b4df2dd9a08b99bb5d4f644a1b_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 4764 7d9512b4df2dd9a08b99bb5d4f644a1b_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 4764 7d9512b4df2dd9a08b99bb5d4f644a1b_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 4764 7d9512b4df2dd9a08b99bb5d4f644a1b_JaffaCakes118.exe Token: SeBackupPrivilege 4764 7d9512b4df2dd9a08b99bb5d4f644a1b_JaffaCakes118.exe Token: SeRestorePrivilege 4764 7d9512b4df2dd9a08b99bb5d4f644a1b_JaffaCakes118.exe Token: SeShutdownPrivilege 4764 7d9512b4df2dd9a08b99bb5d4f644a1b_JaffaCakes118.exe Token: SeDebugPrivilege 4764 7d9512b4df2dd9a08b99bb5d4f644a1b_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 4764 7d9512b4df2dd9a08b99bb5d4f644a1b_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 4764 7d9512b4df2dd9a08b99bb5d4f644a1b_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 4764 7d9512b4df2dd9a08b99bb5d4f644a1b_JaffaCakes118.exe Token: SeUndockPrivilege 4764 7d9512b4df2dd9a08b99bb5d4f644a1b_JaffaCakes118.exe Token: SeManageVolumePrivilege 4764 7d9512b4df2dd9a08b99bb5d4f644a1b_JaffaCakes118.exe Token: SeImpersonatePrivilege 4764 7d9512b4df2dd9a08b99bb5d4f644a1b_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 4764 7d9512b4df2dd9a08b99bb5d4f644a1b_JaffaCakes118.exe Token: 33 4764 7d9512b4df2dd9a08b99bb5d4f644a1b_JaffaCakes118.exe Token: 34 4764 7d9512b4df2dd9a08b99bb5d4f644a1b_JaffaCakes118.exe Token: 35 4764 7d9512b4df2dd9a08b99bb5d4f644a1b_JaffaCakes118.exe Token: 36 4764 7d9512b4df2dd9a08b99bb5d4f644a1b_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 208 lsass.exe Token: SeSecurityPrivilege 208 lsass.exe Token: SeTakeOwnershipPrivilege 208 lsass.exe Token: SeLoadDriverPrivilege 208 lsass.exe Token: SeSystemProfilePrivilege 208 lsass.exe Token: SeSystemtimePrivilege 208 lsass.exe Token: SeProfSingleProcessPrivilege 208 lsass.exe Token: SeIncBasePriorityPrivilege 208 lsass.exe Token: SeCreatePagefilePrivilege 208 lsass.exe Token: SeBackupPrivilege 208 lsass.exe Token: SeRestorePrivilege 208 lsass.exe Token: SeShutdownPrivilege 208 lsass.exe Token: SeDebugPrivilege 208 lsass.exe Token: SeSystemEnvironmentPrivilege 208 lsass.exe Token: SeChangeNotifyPrivilege 208 lsass.exe Token: SeRemoteShutdownPrivilege 208 lsass.exe Token: SeUndockPrivilege 208 lsass.exe Token: SeManageVolumePrivilege 208 lsass.exe Token: SeImpersonatePrivilege 208 lsass.exe Token: SeCreateGlobalPrivilege 208 lsass.exe Token: 33 208 lsass.exe Token: 34 208 lsass.exe Token: 35 208 lsass.exe Token: 36 208 lsass.exe Token: SeDebugPrivilege 4388 PaintStudio.View.exe Token: SeDebugPrivilege 4388 PaintStudio.View.exe Token: SeDebugPrivilege 4388 PaintStudio.View.exe -
Suspicious use of SetWindowsHookEx 3 IoCs
Processes:
mspaint.exePaintStudio.View.exepid process 4936 mspaint.exe 4388 PaintStudio.View.exe 4388 PaintStudio.View.exe -
Suspicious use of WriteProcessMemory 3 IoCs
Processes:
7d9512b4df2dd9a08b99bb5d4f644a1b_JaffaCakes118.exedescription pid process target process PID 4764 wrote to memory of 208 4764 7d9512b4df2dd9a08b99bb5d4f644a1b_JaffaCakes118.exe lsass.exe PID 4764 wrote to memory of 208 4764 7d9512b4df2dd9a08b99bb5d4f644a1b_JaffaCakes118.exe lsass.exe PID 4764 wrote to memory of 208 4764 7d9512b4df2dd9a08b99bb5d4f644a1b_JaffaCakes118.exe lsass.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7d9512b4df2dd9a08b99bb5d4f644a1b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7d9512b4df2dd9a08b99bb5d4f644a1b_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4764 -
C:\MSDCSC\lsass.exe"C:\MSDCSC\lsass.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:208
-
C:\Windows\System32\rundll32.exeC:\Windows\System32\rundll32.exe C:\Windows\System32\shell32.dll,SHCreateLocalServerRunDll {9aa46009-3ce0-458a-a354-715610a075e6} -Embedding1⤵PID:4448
-
C:\Windows\system32\mspaint.exe"C:\Windows\system32\mspaint.exe" "C:\Users\Admin\Downloads\CheckpointSuspend.png" /ForceBootstrapPaint3D1⤵
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of SetWindowsHookEx
PID:4936
-
C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe"C:\Program Files\WindowsApps\Microsoft.MSPaint_1.1702.28017.0_x64__8wekyb3d8bbwe\PaintStudio.View.exe" -ServerName:Microsoft.MSPaint.AppX437q68k2qc2asvaagas2prv9tjej6ja9.mca1⤵
- Modifies Internet Explorer settings
- Modifies registry class
- Suspicious behavior: AddClipboardFormatListener
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4388
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
379KB
MD57d9512b4df2dd9a08b99bb5d4f644a1b
SHA11972b0cdc54764b5df7fb94176bca0f8d812fe2c
SHA2566da662c998ef51d63aba6cccdf510e7e584b4d8505e2fa0dbe19a70632dba4c6
SHA5124d71364bab0946cc892a36a0bb85f2f68f17d7c958e8427e78666063674fdfd5dd81c5b01be90f9a1a48c9f476e80ad219b1e9a37aa696dac63877dced66d815
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\Projects.json
Filesize2B
MD5d751713988987e9331980363e24189ce
SHA197d170e1550eee4afc0af065b78cda302a97674c
SHA2564f53cda18c2baa0c0354bb5f9a3ecbe5ed12ab4d8e11ba873c2f11161202b945
SHA512b25b294cb4deb69ea00a4c3cf3113904801b6015e5956bd019a8570b1fe1d6040e944ef3cdee16d0a46503ca6e659a25f21cf9ceddc13f352a3c98138c15d6af
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\Projects\Projects.json
Filesize233B
MD574e6792bd2d877b4f9c977302290f8c6
SHA1a18e2de661e53ff4cc2ceaed142a3ce60c658c9c
SHA25696a36d99486ece284c9c227b853fa656e1f15a0c4a1463fde1af90aaf33893f6
SHA5125e8a60a464d11a10d30c76185c7f9eda3ac7e12cc6b562736c979e0765578a8e15a8d0100176f49e2b6664767f428ab5c402e6406ccaea855614fba322e2877e
-
C:\Users\Admin\AppData\Local\Packages\Microsoft.MSPaint_8wekyb3d8bbwe\LocalState\cloudCommunitySettings.json
Filesize2KB
MD5404a3ec24e3ebf45be65e77f75990825
SHA11e05647cf0a74cedfdeabfa3e8ee33b919780a61
SHA256cc45905af3aaa62601a69c748a06a2fa48eca3b28d44d8ec18764a7e8e4c3da2
SHA512a55382b72267375821b0a229d3529ed54cef0f295f550d1e95661bafccec606aa1cd72e059d37d78e7d2927ae72e2919941251d233152f5eeb32ffdfc96023e5