Analysis
-
max time kernel
150s -
max time network
122s -
platform
windows7_x64 -
resource
win7-20240708-en -
resource tags
arch:x64arch:x86image:win7-20240708-enlocale:en-usos:windows7-x64system -
submitted
01-08-2024 07:22
Static task
static1
Behavioral task
behavioral1
Sample
7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe
Resource
win7-20240708-en
General
-
Target
7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe
-
Size
592KB
-
MD5
7fa2962d464a1e6aaff03c09cf7e538b
-
SHA1
53ed1256ee387bd8fd015bba0bdc79d754d22c7c
-
SHA256
f876c0b4cde4cf27754c95b605b62e1952f7c0416ac38a08db6178a895acb4c1
-
SHA512
99f3f98690da192a7f495236501a40454fcf59bf62c5694f0208b5114886de50ccd23c2d8ad8911a41a670c39369585aa99140269a1534dbea0db4d6eaf6d2b9
-
SSDEEP
6144:KdtifXN7XegqunP25EmcmiSZPoCE0H3tovCL6DJreQQf17E4oMkZ98gWNlPTGQQX:KOl7OgHP/kiSZBhtovE6SdOvINtTird
Malware Config
Extracted
darkcomet
Guest16
saw-88.no-ip.biz:1604
DC_MUTEX-FAAE1T4
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
4chxqdwMXJlw
-
install
true
-
offline_keylogger
false
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\MSDCSC\\msdcsc.exe" 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 2804 msdcsc.exe -
Loads dropped DLL 2 IoCs
Processes:
7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exepid process 2520 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe 2520 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exemsdcsc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\MSDCSC\\msdcsc.exe" 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-1506706701-1246725540-2219210854-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Writes to the Master Boot Record (MBR) 1 TTPs 2 IoCs
Bootkits write to the MBR to gain persistence at a level below the operating system.
Processes:
7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exemsdcsc.exedescription ioc process File opened for modification \??\PhysicalDrive0 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe File opened for modification \??\PhysicalDrive0 msdcsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 2472 1924 WerFault.exe notepad.exe -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
msdcsc.exe7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exenotepad.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
Processes:
7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 2520 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe Token: SeSecurityPrivilege 2520 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 2520 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe Token: SeLoadDriverPrivilege 2520 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe Token: SeSystemProfilePrivilege 2520 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe Token: SeSystemtimePrivilege 2520 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 2520 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2520 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 2520 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe Token: SeBackupPrivilege 2520 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe Token: SeRestorePrivilege 2520 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe Token: SeShutdownPrivilege 2520 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe Token: SeDebugPrivilege 2520 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 2520 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 2520 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 2520 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe Token: SeUndockPrivilege 2520 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe Token: SeManageVolumePrivilege 2520 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe Token: SeImpersonatePrivilege 2520 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 2520 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe Token: 33 2520 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe Token: 34 2520 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe Token: 35 2520 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2804 msdcsc.exe Token: SeSecurityPrivilege 2804 msdcsc.exe Token: SeTakeOwnershipPrivilege 2804 msdcsc.exe Token: SeLoadDriverPrivilege 2804 msdcsc.exe Token: SeSystemProfilePrivilege 2804 msdcsc.exe Token: SeSystemtimePrivilege 2804 msdcsc.exe Token: SeProfSingleProcessPrivilege 2804 msdcsc.exe Token: SeIncBasePriorityPrivilege 2804 msdcsc.exe Token: SeCreatePagefilePrivilege 2804 msdcsc.exe Token: SeBackupPrivilege 2804 msdcsc.exe Token: SeRestorePrivilege 2804 msdcsc.exe Token: SeShutdownPrivilege 2804 msdcsc.exe Token: SeDebugPrivilege 2804 msdcsc.exe Token: SeSystemEnvironmentPrivilege 2804 msdcsc.exe Token: SeChangeNotifyPrivilege 2804 msdcsc.exe Token: SeRemoteShutdownPrivilege 2804 msdcsc.exe Token: SeUndockPrivilege 2804 msdcsc.exe Token: SeManageVolumePrivilege 2804 msdcsc.exe Token: SeImpersonatePrivilege 2804 msdcsc.exe Token: SeCreateGlobalPrivilege 2804 msdcsc.exe Token: 33 2804 msdcsc.exe Token: 34 2804 msdcsc.exe Token: 35 2804 msdcsc.exe -
Suspicious use of WriteProcessMemory 34 IoCs
Processes:
7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exenotepad.exemsdcsc.exedescription pid process target process PID 2520 wrote to memory of 1924 2520 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe notepad.exe PID 2520 wrote to memory of 1924 2520 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe notepad.exe PID 2520 wrote to memory of 1924 2520 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe notepad.exe PID 2520 wrote to memory of 1924 2520 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe notepad.exe PID 2520 wrote to memory of 1924 2520 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe notepad.exe PID 2520 wrote to memory of 1924 2520 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe notepad.exe PID 2520 wrote to memory of 1924 2520 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe notepad.exe PID 2520 wrote to memory of 1924 2520 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe notepad.exe PID 2520 wrote to memory of 1924 2520 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe notepad.exe PID 2520 wrote to memory of 1924 2520 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe notepad.exe PID 2520 wrote to memory of 1924 2520 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe notepad.exe PID 2520 wrote to memory of 1924 2520 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe notepad.exe PID 2520 wrote to memory of 1924 2520 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe notepad.exe PID 2520 wrote to memory of 1924 2520 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe notepad.exe PID 2520 wrote to memory of 1924 2520 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe notepad.exe PID 2520 wrote to memory of 1924 2520 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe notepad.exe PID 2520 wrote to memory of 1924 2520 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe notepad.exe PID 2520 wrote to memory of 1924 2520 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe notepad.exe PID 1924 wrote to memory of 2472 1924 notepad.exe WerFault.exe PID 1924 wrote to memory of 2472 1924 notepad.exe WerFault.exe PID 1924 wrote to memory of 2472 1924 notepad.exe WerFault.exe PID 1924 wrote to memory of 2472 1924 notepad.exe WerFault.exe PID 2520 wrote to memory of 2804 2520 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe msdcsc.exe PID 2520 wrote to memory of 2804 2520 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe msdcsc.exe PID 2520 wrote to memory of 2804 2520 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe msdcsc.exe PID 2520 wrote to memory of 2804 2520 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe msdcsc.exe PID 2804 wrote to memory of 2740 2804 msdcsc.exe iexplore.exe PID 2804 wrote to memory of 2740 2804 msdcsc.exe iexplore.exe PID 2804 wrote to memory of 2740 2804 msdcsc.exe iexplore.exe PID 2804 wrote to memory of 2740 2804 msdcsc.exe iexplore.exe PID 2804 wrote to memory of 2616 2804 msdcsc.exe explorer.exe PID 2804 wrote to memory of 2616 2804 msdcsc.exe explorer.exe PID 2804 wrote to memory of 2616 2804 msdcsc.exe explorer.exe PID 2804 wrote to memory of 2616 2804 msdcsc.exe explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2520 -
C:\Windows\SysWOW64\notepad.exenotepad2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1924 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1924 -s 2203⤵
- Program crash
PID:2472 -
C:\MSDCSC\msdcsc.exe"C:\MSDCSC\msdcsc.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Writes to the Master Boot Record (MBR)
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2804 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵PID:2740
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"3⤵PID:2616
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Pre-OS Boot
1Bootkit
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
592KB
MD57fa2962d464a1e6aaff03c09cf7e538b
SHA153ed1256ee387bd8fd015bba0bdc79d754d22c7c
SHA256f876c0b4cde4cf27754c95b605b62e1952f7c0416ac38a08db6178a895acb4c1
SHA51299f3f98690da192a7f495236501a40454fcf59bf62c5694f0208b5114886de50ccd23c2d8ad8911a41a670c39369585aa99140269a1534dbea0db4d6eaf6d2b9