Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
26-09-2024 09:33
Behavioral task
behavioral1
Sample
f812781d21e870d00e5e4fc7df650d84_JaffaCakes118.exe
Resource
win7-20240708-en
windows7-x64
13 signatures
150 seconds
General
-
Target
f812781d21e870d00e5e4fc7df650d84_JaffaCakes118.exe
-
Size
350KB
-
MD5
f812781d21e870d00e5e4fc7df650d84
-
SHA1
d4db4e81beab1b328f1a8056afc047102795e6f6
-
SHA256
16e9f95080e6f35658f782bfb345b38c96b9024d199e2f5d8f3bb64c1f92132b
-
SHA512
5ee6296e66e43ab2452ab0b49c96ab1adda6552cb50b4c54b20d7c00bbab0915e6ad72ad80d071ffa64d6f319e9bf876f2619f76bedebb3eb29031dbd3b491df
-
SSDEEP
6144:FMI/jlS4kCwHL76nz9Q3uR5LTYYBIsHHlZsDLDv:FMQlS9Cwr79uLLTvBIYFZKvv
Malware Config
Extracted
Family
darkcomet
Botnet
RAT
C2
shobolozaur.zapto.org:1604
Mutex
DC_MUTEX-F9SDENS
Attributes
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
8ldVUuvAZfED
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Extracted
Family
latentbot
C2
shobolozaur.zapto.org
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" f812781d21e870d00e5e4fc7df650d84_JaffaCakes118.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 4856 attrib.exe 1064 attrib.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\Control Panel\International\Geo\Nation f812781d21e870d00e5e4fc7df650d84_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 4396 msdcsc.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" f812781d21e870d00e5e4fc7df650d84_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2412658365-3084825385-3340777666-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" iexplore.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 4396 set thread context of 5100 4396 msdcsc.exe 88 -
resource yara_rule behavioral2/memory/3820-0-0x0000000000400000-0x00000000004EA000-memory.dmp upx behavioral2/files/0x00080000000233f6-6.dat upx behavioral2/memory/3820-15-0x0000000000400000-0x00000000004EA000-memory.dmp upx behavioral2/memory/5100-17-0x0000000000400000-0x00000000004EA000-memory.dmp upx behavioral2/memory/4396-19-0x0000000000400000-0x00000000004EA000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 8 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iexplore.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f812781d21e870d00e5e4fc7df650d84_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3820 f812781d21e870d00e5e4fc7df650d84_JaffaCakes118.exe Token: SeSecurityPrivilege 3820 f812781d21e870d00e5e4fc7df650d84_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 3820 f812781d21e870d00e5e4fc7df650d84_JaffaCakes118.exe Token: SeLoadDriverPrivilege 3820 f812781d21e870d00e5e4fc7df650d84_JaffaCakes118.exe Token: SeSystemProfilePrivilege 3820 f812781d21e870d00e5e4fc7df650d84_JaffaCakes118.exe Token: SeSystemtimePrivilege 3820 f812781d21e870d00e5e4fc7df650d84_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 3820 f812781d21e870d00e5e4fc7df650d84_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 3820 f812781d21e870d00e5e4fc7df650d84_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 3820 f812781d21e870d00e5e4fc7df650d84_JaffaCakes118.exe Token: SeBackupPrivilege 3820 f812781d21e870d00e5e4fc7df650d84_JaffaCakes118.exe Token: SeRestorePrivilege 3820 f812781d21e870d00e5e4fc7df650d84_JaffaCakes118.exe Token: SeShutdownPrivilege 3820 f812781d21e870d00e5e4fc7df650d84_JaffaCakes118.exe Token: SeDebugPrivilege 3820 f812781d21e870d00e5e4fc7df650d84_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 3820 f812781d21e870d00e5e4fc7df650d84_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 3820 f812781d21e870d00e5e4fc7df650d84_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 3820 f812781d21e870d00e5e4fc7df650d84_JaffaCakes118.exe Token: SeUndockPrivilege 3820 f812781d21e870d00e5e4fc7df650d84_JaffaCakes118.exe Token: SeManageVolumePrivilege 3820 f812781d21e870d00e5e4fc7df650d84_JaffaCakes118.exe Token: SeImpersonatePrivilege 3820 f812781d21e870d00e5e4fc7df650d84_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 3820 f812781d21e870d00e5e4fc7df650d84_JaffaCakes118.exe Token: 33 3820 f812781d21e870d00e5e4fc7df650d84_JaffaCakes118.exe Token: 34 3820 f812781d21e870d00e5e4fc7df650d84_JaffaCakes118.exe Token: 35 3820 f812781d21e870d00e5e4fc7df650d84_JaffaCakes118.exe Token: 36 3820 f812781d21e870d00e5e4fc7df650d84_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 4396 msdcsc.exe Token: SeSecurityPrivilege 4396 msdcsc.exe Token: SeTakeOwnershipPrivilege 4396 msdcsc.exe Token: SeLoadDriverPrivilege 4396 msdcsc.exe Token: SeSystemProfilePrivilege 4396 msdcsc.exe Token: SeSystemtimePrivilege 4396 msdcsc.exe Token: SeProfSingleProcessPrivilege 4396 msdcsc.exe Token: SeIncBasePriorityPrivilege 4396 msdcsc.exe Token: SeCreatePagefilePrivilege 4396 msdcsc.exe Token: SeBackupPrivilege 4396 msdcsc.exe Token: SeRestorePrivilege 4396 msdcsc.exe Token: SeShutdownPrivilege 4396 msdcsc.exe Token: SeDebugPrivilege 4396 msdcsc.exe Token: SeSystemEnvironmentPrivilege 4396 msdcsc.exe Token: SeChangeNotifyPrivilege 4396 msdcsc.exe Token: SeRemoteShutdownPrivilege 4396 msdcsc.exe Token: SeUndockPrivilege 4396 msdcsc.exe Token: SeManageVolumePrivilege 4396 msdcsc.exe Token: SeImpersonatePrivilege 4396 msdcsc.exe Token: SeCreateGlobalPrivilege 4396 msdcsc.exe Token: 33 4396 msdcsc.exe Token: 34 4396 msdcsc.exe Token: 35 4396 msdcsc.exe Token: 36 4396 msdcsc.exe Token: SeIncreaseQuotaPrivilege 5100 iexplore.exe Token: SeSecurityPrivilege 5100 iexplore.exe Token: SeTakeOwnershipPrivilege 5100 iexplore.exe Token: SeLoadDriverPrivilege 5100 iexplore.exe Token: SeSystemProfilePrivilege 5100 iexplore.exe Token: SeSystemtimePrivilege 5100 iexplore.exe Token: SeProfSingleProcessPrivilege 5100 iexplore.exe Token: SeIncBasePriorityPrivilege 5100 iexplore.exe Token: SeCreatePagefilePrivilege 5100 iexplore.exe Token: SeBackupPrivilege 5100 iexplore.exe Token: SeRestorePrivilege 5100 iexplore.exe Token: SeShutdownPrivilege 5100 iexplore.exe Token: SeDebugPrivilege 5100 iexplore.exe Token: SeSystemEnvironmentPrivilege 5100 iexplore.exe Token: SeChangeNotifyPrivilege 5100 iexplore.exe Token: SeRemoteShutdownPrivilege 5100 iexplore.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 5100 iexplore.exe -
Suspicious use of WriteProcessMemory 42 IoCs
description pid Process procid_target PID 3820 wrote to memory of 4888 3820 f812781d21e870d00e5e4fc7df650d84_JaffaCakes118.exe 82 PID 3820 wrote to memory of 4888 3820 f812781d21e870d00e5e4fc7df650d84_JaffaCakes118.exe 82 PID 3820 wrote to memory of 4888 3820 f812781d21e870d00e5e4fc7df650d84_JaffaCakes118.exe 82 PID 3820 wrote to memory of 3264 3820 f812781d21e870d00e5e4fc7df650d84_JaffaCakes118.exe 84 PID 3820 wrote to memory of 3264 3820 f812781d21e870d00e5e4fc7df650d84_JaffaCakes118.exe 84 PID 3820 wrote to memory of 3264 3820 f812781d21e870d00e5e4fc7df650d84_JaffaCakes118.exe 84 PID 3820 wrote to memory of 4396 3820 f812781d21e870d00e5e4fc7df650d84_JaffaCakes118.exe 86 PID 3820 wrote to memory of 4396 3820 f812781d21e870d00e5e4fc7df650d84_JaffaCakes118.exe 86 PID 3820 wrote to memory of 4396 3820 f812781d21e870d00e5e4fc7df650d84_JaffaCakes118.exe 86 PID 3264 wrote to memory of 4856 3264 cmd.exe 87 PID 3264 wrote to memory of 4856 3264 cmd.exe 87 PID 3264 wrote to memory of 4856 3264 cmd.exe 87 PID 4396 wrote to memory of 5100 4396 msdcsc.exe 88 PID 4396 wrote to memory of 5100 4396 msdcsc.exe 88 PID 4396 wrote to memory of 5100 4396 msdcsc.exe 88 PID 4396 wrote to memory of 5100 4396 msdcsc.exe 88 PID 4396 wrote to memory of 5100 4396 msdcsc.exe 88 PID 4888 wrote to memory of 1064 4888 cmd.exe 89 PID 4888 wrote to memory of 1064 4888 cmd.exe 89 PID 4888 wrote to memory of 1064 4888 cmd.exe 89 PID 5100 wrote to memory of 1084 5100 iexplore.exe 90 PID 5100 wrote to memory of 1084 5100 iexplore.exe 90 PID 5100 wrote to memory of 1084 5100 iexplore.exe 90 PID 5100 wrote to memory of 1084 5100 iexplore.exe 90 PID 5100 wrote to memory of 1084 5100 iexplore.exe 90 PID 5100 wrote to memory of 1084 5100 iexplore.exe 90 PID 5100 wrote to memory of 1084 5100 iexplore.exe 90 PID 5100 wrote to memory of 1084 5100 iexplore.exe 90 PID 5100 wrote to memory of 1084 5100 iexplore.exe 90 PID 5100 wrote to memory of 1084 5100 iexplore.exe 90 PID 5100 wrote to memory of 1084 5100 iexplore.exe 90 PID 5100 wrote to memory of 1084 5100 iexplore.exe 90 PID 5100 wrote to memory of 1084 5100 iexplore.exe 90 PID 5100 wrote to memory of 1084 5100 iexplore.exe 90 PID 5100 wrote to memory of 1084 5100 iexplore.exe 90 PID 5100 wrote to memory of 1084 5100 iexplore.exe 90 PID 5100 wrote to memory of 1084 5100 iexplore.exe 90 PID 5100 wrote to memory of 1084 5100 iexplore.exe 90 PID 5100 wrote to memory of 1084 5100 iexplore.exe 90 PID 5100 wrote to memory of 1084 5100 iexplore.exe 90 PID 5100 wrote to memory of 1084 5100 iexplore.exe 90 PID 5100 wrote to memory of 1084 5100 iexplore.exe 90 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 4856 attrib.exe 1064 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f812781d21e870d00e5e4fc7df650d84_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f812781d21e870d00e5e4fc7df650d84_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3820 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\f812781d21e870d00e5e4fc7df650d84_JaffaCakes118.exe" +s +h2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4888 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\f812781d21e870d00e5e4fc7df650d84_JaffaCakes118.exe" +s +h3⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1064
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3264 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:4856
-
-
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4396 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:5100 -
C:\Windows\SysWOW64\notepad.exenotepad4⤵
- System Location Discovery: System Language Discovery
PID:1084
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
350KB
MD5f812781d21e870d00e5e4fc7df650d84
SHA1d4db4e81beab1b328f1a8056afc047102795e6f6
SHA25616e9f95080e6f35658f782bfb345b38c96b9024d199e2f5d8f3bb64c1f92132b
SHA5125ee6296e66e43ab2452ab0b49c96ab1adda6552cb50b4c54b20d7c00bbab0915e6ad72ad80d071ffa64d6f319e9bf876f2619f76bedebb3eb29031dbd3b491df