General
-
Target
952c5a792347039a153342876e109df9_JaffaCakes118
-
Size
852KB
-
Sample
240814-je9qdavemr
-
MD5
952c5a792347039a153342876e109df9
-
SHA1
7c0848d97001d0f7cdcc6f3b2b0845d0d7a22395
-
SHA256
2d4bf941335e90e9dfbfa59ce34db08f44cefac45917ccf2b352f196f2f85967
-
SHA512
4f49f08f3d18f28adcebab78add0e193bc500a57e86cbfc1ec179980403bda1f02af0bc235dbb4e01c2f3bf6e86bb41e5c15dacf510492862410ec466fe6bb8d
-
SSDEEP
12288:vl8E4w5huat7UovONzbXwZgb8P1ln7Ckacbkd/U42ZOg84OoGNCFvDXzY:bdhHwNzbXM08P1l7CkapD2EhXN0vDj
Behavioral task
behavioral1
Sample
952c5a792347039a153342876e109df9_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
952c5a792347039a153342876e109df9_JaffaCakes118.exe
Resource
win10v2004-20240802-en
Malware Config
Extracted
darkcomet
Guest16
dzspy.no-ip.info:1604
DC_MUTEX-LGVVJ5D
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
Hia0SoRiyauA
-
install
true
-
offline_keylogger
true
-
password
azerty456
-
persistence
true
-
reg_key
MicroUpdate
Targets
-
-
Target
952c5a792347039a153342876e109df9_JaffaCakes118
-
Size
852KB
-
MD5
952c5a792347039a153342876e109df9
-
SHA1
7c0848d97001d0f7cdcc6f3b2b0845d0d7a22395
-
SHA256
2d4bf941335e90e9dfbfa59ce34db08f44cefac45917ccf2b352f196f2f85967
-
SHA512
4f49f08f3d18f28adcebab78add0e193bc500a57e86cbfc1ec179980403bda1f02af0bc235dbb4e01c2f3bf6e86bb41e5c15dacf510492862410ec466fe6bb8d
-
SSDEEP
12288:vl8E4w5huat7UovONzbXwZgb8P1ln7Ckacbkd/U42ZOg84OoGNCFvDXzY:bdhHwNzbXM08P1l7CkapD2EhXN0vDj
-
Modifies WinLogon for persistence
-
Modifies firewall policy service
-
Modifies security service
-
Disables RegEdit via registry modification
-
Disables Task Manager via registry modification
-
Checks computer location settings
Looks up country code configured in the registry, likely geofence.
-
Event Triggered Execution: Component Object Model Hijacking
Adversaries may establish persistence by executing malicious content triggered by hijacked references to Component Object Model (COM) objects.
-
Executes dropped EXE
-
Loads dropped DLL
-
Adds Run key to start application
-
Suspicious use of SetThreadContext
-
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Component Object Model Hijacking
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Event Triggered Execution
1Component Object Model Hijacking
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
3Disable or Modify System Firewall
1Disable or Modify Tools
2Modify Registry
8