Analysis
-
max time kernel
2s -
platform
windows11-21h2_x64 -
resource
win11-20241007-en -
resource tags
arch:x64arch:x86image:win11-20241007-enlocale:en-usos:windows11-21h2-x64system -
submitted
15-10-2024 10:58
Static task
static1
Behavioral task
behavioral1
Sample
46a164b4d55bc0ce86a0eb8d1f0bf0ab_JaffaCakes118.exe
Resource
win11-20241007-en
General
-
Target
46a164b4d55bc0ce86a0eb8d1f0bf0ab_JaffaCakes118.exe
-
Size
1.5MB
-
MD5
46a164b4d55bc0ce86a0eb8d1f0bf0ab
-
SHA1
ec07a7fb5cb84172a23df4dbc1859e986731c2ca
-
SHA256
ef620704c613700230068fdebce73e5c02bf55eab3c769f254dae8e836bb2e81
-
SHA512
166ccc1541e263803ed1d44fbdb839bdff4d2d590e1ece918c7d1ee53e234ff01e71ffdc7253535f63751de933c74034e79dce5a893c0ef2a172fd8d63cf9cef
-
SSDEEP
12288:4ejq8CtSp/MqZRWxriTLOucGXyjmrDNZnwAvYmSev2dJryCTW8H/uufTJC16BcjJ:ZRWdHmRIluk5lqqvx8zbqGEac1Ty
Malware Config
Extracted
darkcomet
10101010101010
pcbe.no-ip.org:82
DC_MUTEX-63SE6T6
-
InstallPath
MSDCSC\msdjcsc.exe
-
gencode
kzwtgw276UwL
-
install
true
-
offline_keylogger
true
-
password
12345678
-
persistence
true
-
reg_key
StartUp
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
vbc.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdjcsc.exe" vbc.exe -
Executes dropped EXE 1 IoCs
Processes:
msdjcsc.exepid Process 3168 msdjcsc.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
vbc.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2499603254-3415597248-1508446358-1000\Software\Microsoft\Windows\CurrentVersion\Run\StartUp = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdjcsc.exe" vbc.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
46a164b4d55bc0ce86a0eb8d1f0bf0ab_JaffaCakes118.exedescription pid Process procid_target PID 956 set thread context of 3480 956 46a164b4d55bc0ce86a0eb8d1f0bf0ab_JaffaCakes118.exe 77 -
Processes:
resource yara_rule behavioral1/memory/3480-3-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/3480-5-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/3480-6-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/3480-8-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/3480-7-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/3480-9-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/3480-26-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
46a164b4d55bc0ce86a0eb8d1f0bf0ab_JaffaCakes118.exevbc.exemsdjcsc.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 46a164b4d55bc0ce86a0eb8d1f0bf0ab_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdjcsc.exe -
Suspicious behavior: EnumeratesProcesses 1 IoCs
Processes:
46a164b4d55bc0ce86a0eb8d1f0bf0ab_JaffaCakes118.exepid Process 956 46a164b4d55bc0ce86a0eb8d1f0bf0ab_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
Processes:
vbc.exe46a164b4d55bc0ce86a0eb8d1f0bf0ab_JaffaCakes118.exedescription pid Process Token: SeIncreaseQuotaPrivilege 3480 vbc.exe Token: SeSecurityPrivilege 3480 vbc.exe Token: SeTakeOwnershipPrivilege 3480 vbc.exe Token: SeLoadDriverPrivilege 3480 vbc.exe Token: SeSystemProfilePrivilege 3480 vbc.exe Token: SeSystemtimePrivilege 3480 vbc.exe Token: SeProfSingleProcessPrivilege 3480 vbc.exe Token: SeIncBasePriorityPrivilege 3480 vbc.exe Token: SeCreatePagefilePrivilege 3480 vbc.exe Token: SeBackupPrivilege 3480 vbc.exe Token: SeDebugPrivilege 956 46a164b4d55bc0ce86a0eb8d1f0bf0ab_JaffaCakes118.exe Token: SeRestorePrivilege 3480 vbc.exe Token: SeShutdownPrivilege 3480 vbc.exe Token: SeDebugPrivilege 3480 vbc.exe Token: SeSystemEnvironmentPrivilege 3480 vbc.exe Token: SeChangeNotifyPrivilege 3480 vbc.exe Token: SeRemoteShutdownPrivilege 3480 vbc.exe Token: SeUndockPrivilege 3480 vbc.exe Token: SeManageVolumePrivilege 3480 vbc.exe Token: SeImpersonatePrivilege 3480 vbc.exe Token: SeCreateGlobalPrivilege 3480 vbc.exe Token: 33 3480 vbc.exe Token: 34 3480 vbc.exe Token: 35 3480 vbc.exe Token: 36 3480 vbc.exe -
Suspicious use of WriteProcessMemory 11 IoCs
Processes:
46a164b4d55bc0ce86a0eb8d1f0bf0ab_JaffaCakes118.exevbc.exedescription pid Process procid_target PID 956 wrote to memory of 3480 956 46a164b4d55bc0ce86a0eb8d1f0bf0ab_JaffaCakes118.exe 77 PID 956 wrote to memory of 3480 956 46a164b4d55bc0ce86a0eb8d1f0bf0ab_JaffaCakes118.exe 77 PID 956 wrote to memory of 3480 956 46a164b4d55bc0ce86a0eb8d1f0bf0ab_JaffaCakes118.exe 77 PID 956 wrote to memory of 3480 956 46a164b4d55bc0ce86a0eb8d1f0bf0ab_JaffaCakes118.exe 77 PID 956 wrote to memory of 3480 956 46a164b4d55bc0ce86a0eb8d1f0bf0ab_JaffaCakes118.exe 77 PID 956 wrote to memory of 3480 956 46a164b4d55bc0ce86a0eb8d1f0bf0ab_JaffaCakes118.exe 77 PID 956 wrote to memory of 3480 956 46a164b4d55bc0ce86a0eb8d1f0bf0ab_JaffaCakes118.exe 77 PID 956 wrote to memory of 3480 956 46a164b4d55bc0ce86a0eb8d1f0bf0ab_JaffaCakes118.exe 77 PID 3480 wrote to memory of 3168 3480 vbc.exe 78 PID 3480 wrote to memory of 3168 3480 vbc.exe 78 PID 3480 wrote to memory of 3168 3480 vbc.exe 78
Processes
-
C:\Users\Admin\AppData\Local\Temp\46a164b4d55bc0ce86a0eb8d1f0bf0ab_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\46a164b4d55bc0ce86a0eb8d1f0bf0ab_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:956 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3480 -
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdjcsc.exe"C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdjcsc.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:3168
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1.1MB
MD5c67110872ae3b9a230031b6c353fd9d5
SHA193c13b8b2cd60d5ac1afade2d73691328d25166d
SHA256d964bc9f883fa390acd51b8d8a6104c4fe4ba3e3630d4ff1a4a59ffd52b15f2e
SHA5123e2960d91d0c97cbbea76a41fdb5eb6487a5c45779ad44a2a39c5e5c9415f3aeacf9c98462f1db555f0e315cf2fc6b426a0b18b3f639068985f44f208f8c5072