Analysis
-
max time kernel
141s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20240802-en -
resource tags
arch:x64arch:x86image:win10v2004-20240802-enlocale:en-usos:windows10-2004-x64system -
submitted
01-10-2024 12:39
Static task
static1
Behavioral task
behavioral1
Sample
05d9f7a1325dbec8552ac29083abba7d_JaffaCakes118.exe
Resource
win7-20240704-en
Behavioral task
behavioral2
Sample
05d9f7a1325dbec8552ac29083abba7d_JaffaCakes118.exe
Resource
win10v2004-20240802-en
General
-
Target
05d9f7a1325dbec8552ac29083abba7d_JaffaCakes118.exe
-
Size
728KB
-
MD5
05d9f7a1325dbec8552ac29083abba7d
-
SHA1
3cae39bbc9b45a44c3a6b6065a17214cee4cdfb6
-
SHA256
7de4c40e00da26fffce0d8443b3c7052f79133aead3b1d0114c47c3340a82131
-
SHA512
8f1cdeed5668ee85a4ac0d0c602d75e1a8e06be40be861623cec589e3a8f057cafa2df824f8ca51e96fd83585ea15e65087d7fd3ad5195a08a9ca06480d24a1f
-
SSDEEP
12288:47UetrD931Zsa4Nx/8Js5oT2D/5RiQhUUQUtLue4v5teBn6rlvh2aPEnNBt/oTiD:eDp1ZiNxUJaoT2D/XxUUQUtauUZ2aMpJ
Malware Config
Extracted
darkcomet
Guest16_min
95.37.231.94:60561
DCMIN_MUTEX-YWC1YGK
-
InstallPath
DCSCMIN\IMDCSC.exe
-
gencode
qpkAqz9YSLLL
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
DarkComet RAT
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\DCSCMIN\\IMDCSC.exe" 123.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation 05d9f7a1325dbec8552ac29083abba7d_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\Control Panel\International\Geo\Nation 123.exe -
Executes dropped EXE 2 IoCs
pid Process 4584 123.exe 4480 IMDCSC.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-656926755-4116854191-210765258-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\DarkComet RAT = "C:\\Users\\Admin\\AppData\\Local\\Temp\\DCSCMIN\\IMDCSC.exe" 123.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 05d9f7a1325dbec8552ac29083abba7d_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 123.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language IMDCSC.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 4584 123.exe Token: SeSecurityPrivilege 4584 123.exe Token: SeTakeOwnershipPrivilege 4584 123.exe Token: SeLoadDriverPrivilege 4584 123.exe Token: SeSystemProfilePrivilege 4584 123.exe Token: SeSystemtimePrivilege 4584 123.exe Token: SeProfSingleProcessPrivilege 4584 123.exe Token: SeIncBasePriorityPrivilege 4584 123.exe Token: SeCreatePagefilePrivilege 4584 123.exe Token: SeBackupPrivilege 4584 123.exe Token: SeRestorePrivilege 4584 123.exe Token: SeShutdownPrivilege 4584 123.exe Token: SeDebugPrivilege 4584 123.exe Token: SeSystemEnvironmentPrivilege 4584 123.exe Token: SeChangeNotifyPrivilege 4584 123.exe Token: SeRemoteShutdownPrivilege 4584 123.exe Token: SeUndockPrivilege 4584 123.exe Token: SeManageVolumePrivilege 4584 123.exe Token: SeImpersonatePrivilege 4584 123.exe Token: SeCreateGlobalPrivilege 4584 123.exe Token: 33 4584 123.exe Token: 34 4584 123.exe Token: 35 4584 123.exe Token: 36 4584 123.exe Token: SeIncreaseQuotaPrivilege 4480 IMDCSC.exe Token: SeSecurityPrivilege 4480 IMDCSC.exe Token: SeTakeOwnershipPrivilege 4480 IMDCSC.exe Token: SeLoadDriverPrivilege 4480 IMDCSC.exe Token: SeSystemProfilePrivilege 4480 IMDCSC.exe Token: SeSystemtimePrivilege 4480 IMDCSC.exe Token: SeProfSingleProcessPrivilege 4480 IMDCSC.exe Token: SeIncBasePriorityPrivilege 4480 IMDCSC.exe Token: SeCreatePagefilePrivilege 4480 IMDCSC.exe Token: SeBackupPrivilege 4480 IMDCSC.exe Token: SeRestorePrivilege 4480 IMDCSC.exe Token: SeShutdownPrivilege 4480 IMDCSC.exe Token: SeDebugPrivilege 4480 IMDCSC.exe Token: SeSystemEnvironmentPrivilege 4480 IMDCSC.exe Token: SeChangeNotifyPrivilege 4480 IMDCSC.exe Token: SeRemoteShutdownPrivilege 4480 IMDCSC.exe Token: SeUndockPrivilege 4480 IMDCSC.exe Token: SeManageVolumePrivilege 4480 IMDCSC.exe Token: SeImpersonatePrivilege 4480 IMDCSC.exe Token: SeCreateGlobalPrivilege 4480 IMDCSC.exe Token: 33 4480 IMDCSC.exe Token: 34 4480 IMDCSC.exe Token: 35 4480 IMDCSC.exe Token: 36 4480 IMDCSC.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4480 IMDCSC.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 4992 wrote to memory of 4584 4992 05d9f7a1325dbec8552ac29083abba7d_JaffaCakes118.exe 85 PID 4992 wrote to memory of 4584 4992 05d9f7a1325dbec8552ac29083abba7d_JaffaCakes118.exe 85 PID 4992 wrote to memory of 4584 4992 05d9f7a1325dbec8552ac29083abba7d_JaffaCakes118.exe 85 PID 4584 wrote to memory of 4480 4584 123.exe 86 PID 4584 wrote to memory of 4480 4584 123.exe 86 PID 4584 wrote to memory of 4480 4584 123.exe 86
Processes
-
C:\Users\Admin\AppData\Local\Temp\05d9f7a1325dbec8552ac29083abba7d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\05d9f7a1325dbec8552ac29083abba7d_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4992 -
C:\Users\Admin\AppData\Local\Temp\123.exe"C:\Users\Admin\AppData\Local\Temp\123.exe"2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4584 -
C:\Users\Admin\AppData\Local\Temp\DCSCMIN\IMDCSC.exe"C:\Users\Admin\AppData\Local\Temp\DCSCMIN\IMDCSC.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4480
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
658KB
MD51b14f7ae01bd2c55da49b474c66fd239
SHA14623c53d0e4acf2ebd5836440a68b87acabcfee6
SHA2565c881bbe2b24ff0f177c0c3c4743de959b3633cb097be8ab4a6ca8f20ea085a0
SHA512028ad9a28cba3f4bf8f62747cc2ad9b80cb3668b3f59791fd428a2549ef7f720d8c15e69ca8e47a348d13e5d3b3d594cf998d766928842a08bd480f8622c0822