Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
06/10/2024, 13:44
Behavioral task
behavioral1
Sample
1853e7c8b1b062e5f38559ba957bd6ff_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
13 signatures
150 seconds
General
-
Target
1853e7c8b1b062e5f38559ba957bd6ff_JaffaCakes118.exe
-
Size
756KB
-
MD5
1853e7c8b1b062e5f38559ba957bd6ff
-
SHA1
b5a07baa516c646ccb389eb4219feae21b118c6e
-
SHA256
a50b6193e2bdda6bf35018e9e05ff520181228be00f975d3d69282bf945bad93
-
SHA512
8d12c94210c6ca6079c14a071815343441d300595657c2e71146c62feea5f73b6d823a0630f2e16043c4c618b056072fed695c94f1f7694b5326ed567bd31d1b
-
SSDEEP
12288:69HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hfh:2Z1xuVVjfFoynPaVBUR8f+kN10EBlh
Malware Config
Extracted
Family
darkcomet
Botnet
Kurban
C2
myd.servemp3.com:81
Mutex
DC_MUTEX-68WDUQN
Attributes
-
InstallPath
Csrss\Csrss.exe
-
gencode
qJ7zKmGtRf8L
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
Csrss
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\Csrss\\Csrss.exe" 1853e7c8b1b062e5f38559ba957bd6ff_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 2812 Csrss.exe -
Loads dropped DLL 2 IoCs
pid Process 1508 1853e7c8b1b062e5f38559ba957bd6ff_JaffaCakes118.exe 1508 1853e7c8b1b062e5f38559ba957bd6ff_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\Csrss = "C:\\Windows\\system32\\Csrss\\Csrss.exe" 1853e7c8b1b062e5f38559ba957bd6ff_JaffaCakes118.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File opened for modification C:\Windows\SysWOW64\Csrss\ 1853e7c8b1b062e5f38559ba957bd6ff_JaffaCakes118.exe File created C:\Windows\SysWOW64\Csrss\Csrss.exe 1853e7c8b1b062e5f38559ba957bd6ff_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\Csrss\Csrss.exe 1853e7c8b1b062e5f38559ba957bd6ff_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2812 set thread context of 2676 2812 Csrss.exe 32 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Csrss.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iexplore.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1853e7c8b1b062e5f38559ba957bd6ff_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2676 iexplore.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1508 1853e7c8b1b062e5f38559ba957bd6ff_JaffaCakes118.exe Token: SeSecurityPrivilege 1508 1853e7c8b1b062e5f38559ba957bd6ff_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 1508 1853e7c8b1b062e5f38559ba957bd6ff_JaffaCakes118.exe Token: SeLoadDriverPrivilege 1508 1853e7c8b1b062e5f38559ba957bd6ff_JaffaCakes118.exe Token: SeSystemProfilePrivilege 1508 1853e7c8b1b062e5f38559ba957bd6ff_JaffaCakes118.exe Token: SeSystemtimePrivilege 1508 1853e7c8b1b062e5f38559ba957bd6ff_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 1508 1853e7c8b1b062e5f38559ba957bd6ff_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 1508 1853e7c8b1b062e5f38559ba957bd6ff_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 1508 1853e7c8b1b062e5f38559ba957bd6ff_JaffaCakes118.exe Token: SeBackupPrivilege 1508 1853e7c8b1b062e5f38559ba957bd6ff_JaffaCakes118.exe Token: SeRestorePrivilege 1508 1853e7c8b1b062e5f38559ba957bd6ff_JaffaCakes118.exe Token: SeShutdownPrivilege 1508 1853e7c8b1b062e5f38559ba957bd6ff_JaffaCakes118.exe Token: SeDebugPrivilege 1508 1853e7c8b1b062e5f38559ba957bd6ff_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 1508 1853e7c8b1b062e5f38559ba957bd6ff_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 1508 1853e7c8b1b062e5f38559ba957bd6ff_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 1508 1853e7c8b1b062e5f38559ba957bd6ff_JaffaCakes118.exe Token: SeUndockPrivilege 1508 1853e7c8b1b062e5f38559ba957bd6ff_JaffaCakes118.exe Token: SeManageVolumePrivilege 1508 1853e7c8b1b062e5f38559ba957bd6ff_JaffaCakes118.exe Token: SeImpersonatePrivilege 1508 1853e7c8b1b062e5f38559ba957bd6ff_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 1508 1853e7c8b1b062e5f38559ba957bd6ff_JaffaCakes118.exe Token: 33 1508 1853e7c8b1b062e5f38559ba957bd6ff_JaffaCakes118.exe Token: 34 1508 1853e7c8b1b062e5f38559ba957bd6ff_JaffaCakes118.exe Token: 35 1508 1853e7c8b1b062e5f38559ba957bd6ff_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2812 Csrss.exe Token: SeSecurityPrivilege 2812 Csrss.exe Token: SeTakeOwnershipPrivilege 2812 Csrss.exe Token: SeLoadDriverPrivilege 2812 Csrss.exe Token: SeSystemProfilePrivilege 2812 Csrss.exe Token: SeSystemtimePrivilege 2812 Csrss.exe Token: SeProfSingleProcessPrivilege 2812 Csrss.exe Token: SeIncBasePriorityPrivilege 2812 Csrss.exe Token: SeCreatePagefilePrivilege 2812 Csrss.exe Token: SeBackupPrivilege 2812 Csrss.exe Token: SeRestorePrivilege 2812 Csrss.exe Token: SeShutdownPrivilege 2812 Csrss.exe Token: SeDebugPrivilege 2812 Csrss.exe Token: SeSystemEnvironmentPrivilege 2812 Csrss.exe Token: SeChangeNotifyPrivilege 2812 Csrss.exe Token: SeRemoteShutdownPrivilege 2812 Csrss.exe Token: SeUndockPrivilege 2812 Csrss.exe Token: SeManageVolumePrivilege 2812 Csrss.exe Token: SeImpersonatePrivilege 2812 Csrss.exe Token: SeCreateGlobalPrivilege 2812 Csrss.exe Token: 33 2812 Csrss.exe Token: 34 2812 Csrss.exe Token: 35 2812 Csrss.exe Token: SeIncreaseQuotaPrivilege 2676 iexplore.exe Token: SeSecurityPrivilege 2676 iexplore.exe Token: SeTakeOwnershipPrivilege 2676 iexplore.exe Token: SeLoadDriverPrivilege 2676 iexplore.exe Token: SeSystemProfilePrivilege 2676 iexplore.exe Token: SeSystemtimePrivilege 2676 iexplore.exe Token: SeProfSingleProcessPrivilege 2676 iexplore.exe Token: SeIncBasePriorityPrivilege 2676 iexplore.exe Token: SeCreatePagefilePrivilege 2676 iexplore.exe Token: SeBackupPrivilege 2676 iexplore.exe Token: SeRestorePrivilege 2676 iexplore.exe Token: SeShutdownPrivilege 2676 iexplore.exe Token: SeDebugPrivilege 2676 iexplore.exe Token: SeSystemEnvironmentPrivilege 2676 iexplore.exe Token: SeChangeNotifyPrivilege 2676 iexplore.exe Token: SeRemoteShutdownPrivilege 2676 iexplore.exe Token: SeUndockPrivilege 2676 iexplore.exe Token: SeManageVolumePrivilege 2676 iexplore.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2676 iexplore.exe -
Suspicious use of WriteProcessMemory 33 IoCs
description pid Process procid_target PID 1508 wrote to memory of 2812 1508 1853e7c8b1b062e5f38559ba957bd6ff_JaffaCakes118.exe 31 PID 1508 wrote to memory of 2812 1508 1853e7c8b1b062e5f38559ba957bd6ff_JaffaCakes118.exe 31 PID 1508 wrote to memory of 2812 1508 1853e7c8b1b062e5f38559ba957bd6ff_JaffaCakes118.exe 31 PID 1508 wrote to memory of 2812 1508 1853e7c8b1b062e5f38559ba957bd6ff_JaffaCakes118.exe 31 PID 2812 wrote to memory of 2676 2812 Csrss.exe 32 PID 2812 wrote to memory of 2676 2812 Csrss.exe 32 PID 2812 wrote to memory of 2676 2812 Csrss.exe 32 PID 2812 wrote to memory of 2676 2812 Csrss.exe 32 PID 2812 wrote to memory of 2676 2812 Csrss.exe 32 PID 2812 wrote to memory of 2676 2812 Csrss.exe 32 PID 2676 wrote to memory of 2552 2676 iexplore.exe 33 PID 2676 wrote to memory of 2552 2676 iexplore.exe 33 PID 2676 wrote to memory of 2552 2676 iexplore.exe 33 PID 2676 wrote to memory of 2552 2676 iexplore.exe 33 PID 2676 wrote to memory of 2552 2676 iexplore.exe 33 PID 2676 wrote to memory of 2552 2676 iexplore.exe 33 PID 2676 wrote to memory of 2552 2676 iexplore.exe 33 PID 2676 wrote to memory of 2552 2676 iexplore.exe 33 PID 2676 wrote to memory of 2552 2676 iexplore.exe 33 PID 2676 wrote to memory of 2552 2676 iexplore.exe 33 PID 2676 wrote to memory of 2552 2676 iexplore.exe 33 PID 2676 wrote to memory of 2552 2676 iexplore.exe 33 PID 2676 wrote to memory of 2552 2676 iexplore.exe 33 PID 2676 wrote to memory of 2552 2676 iexplore.exe 33 PID 2676 wrote to memory of 2552 2676 iexplore.exe 33 PID 2676 wrote to memory of 2552 2676 iexplore.exe 33 PID 2676 wrote to memory of 2552 2676 iexplore.exe 33 PID 2676 wrote to memory of 2552 2676 iexplore.exe 33 PID 2676 wrote to memory of 2552 2676 iexplore.exe 33 PID 2676 wrote to memory of 2552 2676 iexplore.exe 33 PID 2676 wrote to memory of 2552 2676 iexplore.exe 33 PID 2676 wrote to memory of 2552 2676 iexplore.exe 33 PID 2676 wrote to memory of 2552 2676 iexplore.exe 33
Processes
-
C:\Users\Admin\AppData\Local\Temp\1853e7c8b1b062e5f38559ba957bd6ff_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1853e7c8b1b062e5f38559ba957bd6ff_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1508 -
C:\Windows\SysWOW64\Csrss\Csrss.exe"C:\Windows\system32\Csrss\Csrss.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2812 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2676 -
C:\Windows\SysWOW64\notepad.exenotepad4⤵
- System Location Discovery: System Language Discovery
PID:2552
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
756KB
MD51853e7c8b1b062e5f38559ba957bd6ff
SHA1b5a07baa516c646ccb389eb4219feae21b118c6e
SHA256a50b6193e2bdda6bf35018e9e05ff520181228be00f975d3d69282bf945bad93
SHA5128d12c94210c6ca6079c14a071815343441d300595657c2e71146c62feea5f73b6d823a0630f2e16043c4c618b056072fed695c94f1f7694b5326ed567bd31d1b