Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
11-08-2024 06:49
Static task
static1
Behavioral task
behavioral1
Sample
89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe
Resource
win7-20240708-en
General
-
Target
89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe
-
Size
890KB
-
MD5
89673c1d2e00671c71a2ab8037cb7da3
-
SHA1
b13a9c7bbcd79cd38b6182da0c22a7426784f0c3
-
SHA256
8c2df3f9cdcef9fd08faf79d1d8eb233e8e5daf3fab6689d67445120ddd2ba7b
-
SHA512
31ac5a99a22f8168e748ebf21b44b7d926381835715626d234fbe2055e1e0a5be150db94469acff357fbf6a5cbd5ce359d20256107a6fffa9c3c591af776ff68
-
SSDEEP
12288:xTmBJtebrqexwPbp1iYXgrlh6fznP2y0+bUjCCPAbpaTu626AZq2X2QJ4N0:xq7teaexwX+lh87l9gjCZbpVfN4mp
Malware Config
Extracted
darkcomet
Guest16
smr9.no-ip.org:1604
DC_MUTEX-NJSZLY8
-
InstallPath
MSDCSC\lsass.exe
-
gencode
6xtSkc229rlk
-
install
true
-
offline_keylogger
false
-
password
123456
-
persistence
true
-
reg_key
lsass.exe
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\MSDCSC\\lsass.exe" 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\Control Panel\International\Geo\Nation 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
Processes:
lsass.exelsass.exepid process 3636 lsass.exe 620 lsass.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exelsass.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass.exe = "C:\\MSDCSC\\lsass.exe" 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-945322488-2060912225-3527527000-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass.exe = "C:\\MSDCSC\\lsass.exe" lsass.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exelsass.exedescription pid process target process PID 4304 set thread context of 3768 4304 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe PID 3636 set thread context of 620 3636 lsass.exe lsass.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exelsass.exelsass.exedescription ioc process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lsass.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language lsass.exe -
Modifies registry class 1 IoCs
Processes:
89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
lsass.exepid process 620 lsass.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exelsass.exedescription pid process Token: SeIncreaseQuotaPrivilege 3768 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe Token: SeSecurityPrivilege 3768 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 3768 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe Token: SeLoadDriverPrivilege 3768 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe Token: SeSystemProfilePrivilege 3768 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe Token: SeSystemtimePrivilege 3768 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 3768 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 3768 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 3768 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe Token: SeBackupPrivilege 3768 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe Token: SeRestorePrivilege 3768 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe Token: SeShutdownPrivilege 3768 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe Token: SeDebugPrivilege 3768 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 3768 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 3768 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 3768 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe Token: SeUndockPrivilege 3768 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe Token: SeManageVolumePrivilege 3768 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe Token: SeImpersonatePrivilege 3768 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 3768 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe Token: 33 3768 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe Token: 34 3768 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe Token: 35 3768 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe Token: 36 3768 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 620 lsass.exe Token: SeSecurityPrivilege 620 lsass.exe Token: SeTakeOwnershipPrivilege 620 lsass.exe Token: SeLoadDriverPrivilege 620 lsass.exe Token: SeSystemProfilePrivilege 620 lsass.exe Token: SeSystemtimePrivilege 620 lsass.exe Token: SeProfSingleProcessPrivilege 620 lsass.exe Token: SeIncBasePriorityPrivilege 620 lsass.exe Token: SeCreatePagefilePrivilege 620 lsass.exe Token: SeBackupPrivilege 620 lsass.exe Token: SeRestorePrivilege 620 lsass.exe Token: SeShutdownPrivilege 620 lsass.exe Token: SeDebugPrivilege 620 lsass.exe Token: SeSystemEnvironmentPrivilege 620 lsass.exe Token: SeChangeNotifyPrivilege 620 lsass.exe Token: SeRemoteShutdownPrivilege 620 lsass.exe Token: SeUndockPrivilege 620 lsass.exe Token: SeManageVolumePrivilege 620 lsass.exe Token: SeImpersonatePrivilege 620 lsass.exe Token: SeCreateGlobalPrivilege 620 lsass.exe Token: 33 620 lsass.exe Token: 34 620 lsass.exe Token: 35 620 lsass.exe Token: 36 620 lsass.exe -
Suspicious use of WriteProcessMemory 31 IoCs
Processes:
89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exelsass.exedescription pid process target process PID 4304 wrote to memory of 3768 4304 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe PID 4304 wrote to memory of 3768 4304 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe PID 4304 wrote to memory of 3768 4304 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe PID 4304 wrote to memory of 3768 4304 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe PID 4304 wrote to memory of 3768 4304 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe PID 4304 wrote to memory of 3768 4304 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe PID 4304 wrote to memory of 3768 4304 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe PID 4304 wrote to memory of 3768 4304 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe PID 4304 wrote to memory of 3768 4304 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe PID 4304 wrote to memory of 3768 4304 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe PID 4304 wrote to memory of 3768 4304 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe PID 4304 wrote to memory of 3768 4304 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe PID 4304 wrote to memory of 3768 4304 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe PID 4304 wrote to memory of 3768 4304 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe PID 3768 wrote to memory of 3636 3768 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe lsass.exe PID 3768 wrote to memory of 3636 3768 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe lsass.exe PID 3768 wrote to memory of 3636 3768 89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe lsass.exe PID 3636 wrote to memory of 620 3636 lsass.exe lsass.exe PID 3636 wrote to memory of 620 3636 lsass.exe lsass.exe PID 3636 wrote to memory of 620 3636 lsass.exe lsass.exe PID 3636 wrote to memory of 620 3636 lsass.exe lsass.exe PID 3636 wrote to memory of 620 3636 lsass.exe lsass.exe PID 3636 wrote to memory of 620 3636 lsass.exe lsass.exe PID 3636 wrote to memory of 620 3636 lsass.exe lsass.exe PID 3636 wrote to memory of 620 3636 lsass.exe lsass.exe PID 3636 wrote to memory of 620 3636 lsass.exe lsass.exe PID 3636 wrote to memory of 620 3636 lsass.exe lsass.exe PID 3636 wrote to memory of 620 3636 lsass.exe lsass.exe PID 3636 wrote to memory of 620 3636 lsass.exe lsass.exe PID 3636 wrote to memory of 620 3636 lsass.exe lsass.exe PID 3636 wrote to memory of 620 3636 lsass.exe lsass.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4304 -
C:\Users\Admin\AppData\Local\Temp\89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exeC:\Users\Admin\AppData\Local\Temp\89673c1d2e00671c71a2ab8037cb7da3_JaffaCakes118.exe2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3768 -
C:\MSDCSC\lsass.exe"C:\MSDCSC\lsass.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3636 -
C:\MSDCSC\lsass.exeC:\MSDCSC\lsass.exe4⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
PID:620
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
890KB
MD589673c1d2e00671c71a2ab8037cb7da3
SHA1b13a9c7bbcd79cd38b6182da0c22a7426784f0c3
SHA2568c2df3f9cdcef9fd08faf79d1d8eb233e8e5daf3fab6689d67445120ddd2ba7b
SHA51231ac5a99a22f8168e748ebf21b44b7d926381835715626d234fbe2055e1e0a5be150db94469acff357fbf6a5cbd5ce359d20256107a6fffa9c3c591af776ff68