Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20240730-en -
resource tags
arch:x64arch:x86image:win10v2004-20240730-enlocale:en-usos:windows10-2004-x64system -
submitted
01-08-2024 07:22
Static task
static1
Behavioral task
behavioral1
Sample
7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe
Resource
win7-20240708-en
General
-
Target
7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe
-
Size
592KB
-
MD5
7fa2962d464a1e6aaff03c09cf7e538b
-
SHA1
53ed1256ee387bd8fd015bba0bdc79d754d22c7c
-
SHA256
f876c0b4cde4cf27754c95b605b62e1952f7c0416ac38a08db6178a895acb4c1
-
SHA512
99f3f98690da192a7f495236501a40454fcf59bf62c5694f0208b5114886de50ccd23c2d8ad8911a41a670c39369585aa99140269a1534dbea0db4d6eaf6d2b9
-
SSDEEP
6144:KdtifXN7XegqunP25EmcmiSZPoCE0H3tovCL6DJreQQf17E4oMkZ98gWNlPTGQQX:KOl7OgHP/kiSZBhtovE6SdOvINtTird
Malware Config
Extracted
darkcomet
Guest16
saw-88.no-ip.biz:1604
DC_MUTEX-FAAE1T4
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
4chxqdwMXJlw
-
install
true
-
offline_keylogger
false
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\MSDCSC\\msdcsc.exe" 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000\Control Panel\International\Geo\Nation 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 1468 msdcsc.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exemsdcsc.exeiexplore.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\MSDCSC\\msdcsc.exe" 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-195445723-368091294-1661186673-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\MSDCSC\\msdcsc.exe" iexplore.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
msdcsc.exedescription pid process target process PID 1468 set thread context of 3540 1468 msdcsc.exe iexplore.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 3940 1860 WerFault.exe notepad.exe -
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exenotepad.exemsdcsc.exeiexplore.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iexplore.exe -
Modifies registry class 1 IoCs
Processes:
7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exemsdcsc.exeiexplore.exedescription pid process Token: SeIncreaseQuotaPrivilege 3760 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe Token: SeSecurityPrivilege 3760 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 3760 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe Token: SeLoadDriverPrivilege 3760 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe Token: SeSystemProfilePrivilege 3760 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe Token: SeSystemtimePrivilege 3760 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 3760 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 3760 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 3760 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe Token: SeBackupPrivilege 3760 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe Token: SeRestorePrivilege 3760 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe Token: SeShutdownPrivilege 3760 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe Token: SeDebugPrivilege 3760 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 3760 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 3760 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 3760 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe Token: SeUndockPrivilege 3760 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe Token: SeManageVolumePrivilege 3760 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe Token: SeImpersonatePrivilege 3760 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 3760 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe Token: 33 3760 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe Token: 34 3760 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe Token: 35 3760 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe Token: 36 3760 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 1468 msdcsc.exe Token: SeSecurityPrivilege 1468 msdcsc.exe Token: SeTakeOwnershipPrivilege 1468 msdcsc.exe Token: SeLoadDriverPrivilege 1468 msdcsc.exe Token: SeSystemProfilePrivilege 1468 msdcsc.exe Token: SeSystemtimePrivilege 1468 msdcsc.exe Token: SeProfSingleProcessPrivilege 1468 msdcsc.exe Token: SeIncBasePriorityPrivilege 1468 msdcsc.exe Token: SeCreatePagefilePrivilege 1468 msdcsc.exe Token: SeBackupPrivilege 1468 msdcsc.exe Token: SeRestorePrivilege 1468 msdcsc.exe Token: SeShutdownPrivilege 1468 msdcsc.exe Token: SeDebugPrivilege 1468 msdcsc.exe Token: SeSystemEnvironmentPrivilege 1468 msdcsc.exe Token: SeChangeNotifyPrivilege 1468 msdcsc.exe Token: SeRemoteShutdownPrivilege 1468 msdcsc.exe Token: SeUndockPrivilege 1468 msdcsc.exe Token: SeManageVolumePrivilege 1468 msdcsc.exe Token: SeImpersonatePrivilege 1468 msdcsc.exe Token: SeCreateGlobalPrivilege 1468 msdcsc.exe Token: 33 1468 msdcsc.exe Token: 34 1468 msdcsc.exe Token: 35 1468 msdcsc.exe Token: 36 1468 msdcsc.exe Token: SeIncreaseQuotaPrivilege 3540 iexplore.exe Token: SeSecurityPrivilege 3540 iexplore.exe Token: SeTakeOwnershipPrivilege 3540 iexplore.exe Token: SeLoadDriverPrivilege 3540 iexplore.exe Token: SeSystemProfilePrivilege 3540 iexplore.exe Token: SeSystemtimePrivilege 3540 iexplore.exe Token: SeProfSingleProcessPrivilege 3540 iexplore.exe Token: SeIncBasePriorityPrivilege 3540 iexplore.exe Token: SeCreatePagefilePrivilege 3540 iexplore.exe Token: SeBackupPrivilege 3540 iexplore.exe Token: SeRestorePrivilege 3540 iexplore.exe Token: SeShutdownPrivilege 3540 iexplore.exe Token: SeDebugPrivilege 3540 iexplore.exe Token: SeSystemEnvironmentPrivilege 3540 iexplore.exe Token: SeChangeNotifyPrivilege 3540 iexplore.exe Token: SeRemoteShutdownPrivilege 3540 iexplore.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exemsdcsc.exedescription pid process target process PID 3760 wrote to memory of 1860 3760 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe notepad.exe PID 3760 wrote to memory of 1860 3760 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe notepad.exe PID 3760 wrote to memory of 1860 3760 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe notepad.exe PID 3760 wrote to memory of 1860 3760 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe notepad.exe PID 3760 wrote to memory of 1860 3760 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe notepad.exe PID 3760 wrote to memory of 1860 3760 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe notepad.exe PID 3760 wrote to memory of 1860 3760 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe notepad.exe PID 3760 wrote to memory of 1860 3760 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe notepad.exe PID 3760 wrote to memory of 1860 3760 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe notepad.exe PID 3760 wrote to memory of 1860 3760 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe notepad.exe PID 3760 wrote to memory of 1860 3760 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe notepad.exe PID 3760 wrote to memory of 1860 3760 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe notepad.exe PID 3760 wrote to memory of 1860 3760 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe notepad.exe PID 3760 wrote to memory of 1860 3760 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe notepad.exe PID 3760 wrote to memory of 1860 3760 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe notepad.exe PID 3760 wrote to memory of 1860 3760 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe notepad.exe PID 3760 wrote to memory of 1860 3760 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe notepad.exe PID 3760 wrote to memory of 1468 3760 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe msdcsc.exe PID 3760 wrote to memory of 1468 3760 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe msdcsc.exe PID 3760 wrote to memory of 1468 3760 7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe msdcsc.exe PID 1468 wrote to memory of 3540 1468 msdcsc.exe iexplore.exe PID 1468 wrote to memory of 3540 1468 msdcsc.exe iexplore.exe PID 1468 wrote to memory of 3540 1468 msdcsc.exe iexplore.exe PID 1468 wrote to memory of 3540 1468 msdcsc.exe iexplore.exe PID 1468 wrote to memory of 3540 1468 msdcsc.exe iexplore.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\7fa2962d464a1e6aaff03c09cf7e538b_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3760 -
C:\Windows\SysWOW64\notepad.exenotepad2⤵
- System Location Discovery: System Language Discovery
PID:1860 -
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1860 -s 4243⤵
- Program crash
PID:3940 -
C:\MSDCSC\msdcsc.exe"C:\MSDCSC\msdcsc.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1468 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:3540
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 360 -p 1860 -ip 18601⤵PID:3544
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
592KB
MD57fa2962d464a1e6aaff03c09cf7e538b
SHA153ed1256ee387bd8fd015bba0bdc79d754d22c7c
SHA256f876c0b4cde4cf27754c95b605b62e1952f7c0416ac38a08db6178a895acb4c1
SHA51299f3f98690da192a7f495236501a40454fcf59bf62c5694f0208b5114886de50ccd23c2d8ad8911a41a670c39369585aa99140269a1534dbea0db4d6eaf6d2b9