Analysis
-
max time kernel
141s -
max time network
123s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-10-2024 16:37
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
4de1c5485e4e5193eea571dbc6d0606d_JaffaCakes118.exe
Resource
win7-20241010-en
windows7-x64
11 signatures
150 seconds
General
-
Target
4de1c5485e4e5193eea571dbc6d0606d_JaffaCakes118.exe
-
Size
898KB
-
MD5
4de1c5485e4e5193eea571dbc6d0606d
-
SHA1
81b4123710e7f6a012b6680be179671586c85f66
-
SHA256
d3a4ebd2f8291633618bbec77f27b8c9bd7fef27e60a47c206f3d8c41aeded6c
-
SHA512
d292b84daeefbb1166e61f718760aa1d44f7ec195f7948633e87e369cf236ec4d67c314611941903205ff077ca9de1894c7805d181a27bedc857616d4e68bc03
-
SSDEEP
24576:3dQoweo+5d5lW4T0LReq86st68g6if0uGbS21tA23:3dQGo8h41iDghWSi
Malware Config
Extracted
Family
darkcomet
Botnet
Guest16
C2
95.79.31.101:1604
Mutex
DC_MUTEX-E2ZGDTS
Attributes
-
InstallPath
MSDCSC\svchost.exe
-
gencode
rW8pc78Q0Uk7
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
2929.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\svchost.exe" 2929.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
4de1c5485e4e5193eea571dbc6d0606d_JaffaCakes118.exe2929.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation 4de1c5485e4e5193eea571dbc6d0606d_JaffaCakes118.exe Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation 2929.exe -
Executes dropped EXE 3 IoCs
Processes:
2929.exeHardDiskSerialNumberChanger.exesvchost.exepid Process 3040 2929.exe 2308 HardDiskSerialNumberChanger.exe 4044 svchost.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
2929.exesvchost.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\svchost.exe" 2929.exe Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\svchost.exe" svchost.exe -
Enumerates connected drives 3 TTPs 23 IoCs
Attempts to read the root path of hard drives other than the default C: drive.
Processes:
HardDiskSerialNumberChanger.exedescription ioc Process File opened (read-only) \??\A: HardDiskSerialNumberChanger.exe File opened (read-only) \??\H: HardDiskSerialNumberChanger.exe File opened (read-only) \??\U: HardDiskSerialNumberChanger.exe File opened (read-only) \??\Y: HardDiskSerialNumberChanger.exe File opened (read-only) \??\G: HardDiskSerialNumberChanger.exe File opened (read-only) \??\O: HardDiskSerialNumberChanger.exe File opened (read-only) \??\R: HardDiskSerialNumberChanger.exe File opened (read-only) \??\X: HardDiskSerialNumberChanger.exe File opened (read-only) \??\Z: HardDiskSerialNumberChanger.exe File opened (read-only) \??\E: HardDiskSerialNumberChanger.exe File opened (read-only) \??\K: HardDiskSerialNumberChanger.exe File opened (read-only) \??\L: HardDiskSerialNumberChanger.exe File opened (read-only) \??\M: HardDiskSerialNumberChanger.exe File opened (read-only) \??\S: HardDiskSerialNumberChanger.exe File opened (read-only) \??\T: HardDiskSerialNumberChanger.exe File opened (read-only) \??\V: HardDiskSerialNumberChanger.exe File opened (read-only) \??\W: HardDiskSerialNumberChanger.exe File opened (read-only) \??\B: HardDiskSerialNumberChanger.exe File opened (read-only) \??\I: HardDiskSerialNumberChanger.exe File opened (read-only) \??\J: HardDiskSerialNumberChanger.exe File opened (read-only) \??\N: HardDiskSerialNumberChanger.exe File opened (read-only) \??\P: HardDiskSerialNumberChanger.exe File opened (read-only) \??\Q: HardDiskSerialNumberChanger.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 5 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
2929.exeHardDiskSerialNumberChanger.exenotepad.exesvchost.exe4de1c5485e4e5193eea571dbc6d0606d_JaffaCakes118.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2929.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language HardDiskSerialNumberChanger.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 4de1c5485e4e5193eea571dbc6d0606d_JaffaCakes118.exe -
Modifies registry class 1 IoCs
Processes:
2929.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 2929.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
2929.exesvchost.exedescription pid Process Token: SeIncreaseQuotaPrivilege 3040 2929.exe Token: SeSecurityPrivilege 3040 2929.exe Token: SeTakeOwnershipPrivilege 3040 2929.exe Token: SeLoadDriverPrivilege 3040 2929.exe Token: SeSystemProfilePrivilege 3040 2929.exe Token: SeSystemtimePrivilege 3040 2929.exe Token: SeProfSingleProcessPrivilege 3040 2929.exe Token: SeIncBasePriorityPrivilege 3040 2929.exe Token: SeCreatePagefilePrivilege 3040 2929.exe Token: SeBackupPrivilege 3040 2929.exe Token: SeRestorePrivilege 3040 2929.exe Token: SeShutdownPrivilege 3040 2929.exe Token: SeDebugPrivilege 3040 2929.exe Token: SeSystemEnvironmentPrivilege 3040 2929.exe Token: SeChangeNotifyPrivilege 3040 2929.exe Token: SeRemoteShutdownPrivilege 3040 2929.exe Token: SeUndockPrivilege 3040 2929.exe Token: SeManageVolumePrivilege 3040 2929.exe Token: SeImpersonatePrivilege 3040 2929.exe Token: SeCreateGlobalPrivilege 3040 2929.exe Token: 33 3040 2929.exe Token: 34 3040 2929.exe Token: 35 3040 2929.exe Token: 36 3040 2929.exe Token: SeIncreaseQuotaPrivilege 4044 svchost.exe Token: SeSecurityPrivilege 4044 svchost.exe Token: SeTakeOwnershipPrivilege 4044 svchost.exe Token: SeLoadDriverPrivilege 4044 svchost.exe Token: SeSystemProfilePrivilege 4044 svchost.exe Token: SeSystemtimePrivilege 4044 svchost.exe Token: SeProfSingleProcessPrivilege 4044 svchost.exe Token: SeIncBasePriorityPrivilege 4044 svchost.exe Token: SeCreatePagefilePrivilege 4044 svchost.exe Token: SeBackupPrivilege 4044 svchost.exe Token: SeRestorePrivilege 4044 svchost.exe Token: SeShutdownPrivilege 4044 svchost.exe Token: SeDebugPrivilege 4044 svchost.exe Token: SeSystemEnvironmentPrivilege 4044 svchost.exe Token: SeChangeNotifyPrivilege 4044 svchost.exe Token: SeRemoteShutdownPrivilege 4044 svchost.exe Token: SeUndockPrivilege 4044 svchost.exe Token: SeManageVolumePrivilege 4044 svchost.exe Token: SeImpersonatePrivilege 4044 svchost.exe Token: SeCreateGlobalPrivilege 4044 svchost.exe Token: 33 4044 svchost.exe Token: 34 4044 svchost.exe Token: 35 4044 svchost.exe Token: 36 4044 svchost.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
svchost.exepid Process 4044 svchost.exe -
Suspicious use of WriteProcessMemory 26 IoCs
Processes:
4de1c5485e4e5193eea571dbc6d0606d_JaffaCakes118.exe2929.exedescription pid Process procid_target PID 2156 wrote to memory of 3040 2156 4de1c5485e4e5193eea571dbc6d0606d_JaffaCakes118.exe 84 PID 2156 wrote to memory of 3040 2156 4de1c5485e4e5193eea571dbc6d0606d_JaffaCakes118.exe 84 PID 2156 wrote to memory of 3040 2156 4de1c5485e4e5193eea571dbc6d0606d_JaffaCakes118.exe 84 PID 2156 wrote to memory of 2308 2156 4de1c5485e4e5193eea571dbc6d0606d_JaffaCakes118.exe 85 PID 2156 wrote to memory of 2308 2156 4de1c5485e4e5193eea571dbc6d0606d_JaffaCakes118.exe 85 PID 2156 wrote to memory of 2308 2156 4de1c5485e4e5193eea571dbc6d0606d_JaffaCakes118.exe 85 PID 3040 wrote to memory of 3332 3040 2929.exe 86 PID 3040 wrote to memory of 3332 3040 2929.exe 86 PID 3040 wrote to memory of 3332 3040 2929.exe 86 PID 3040 wrote to memory of 3332 3040 2929.exe 86 PID 3040 wrote to memory of 3332 3040 2929.exe 86 PID 3040 wrote to memory of 3332 3040 2929.exe 86 PID 3040 wrote to memory of 3332 3040 2929.exe 86 PID 3040 wrote to memory of 3332 3040 2929.exe 86 PID 3040 wrote to memory of 3332 3040 2929.exe 86 PID 3040 wrote to memory of 3332 3040 2929.exe 86 PID 3040 wrote to memory of 3332 3040 2929.exe 86 PID 3040 wrote to memory of 3332 3040 2929.exe 86 PID 3040 wrote to memory of 3332 3040 2929.exe 86 PID 3040 wrote to memory of 3332 3040 2929.exe 86 PID 3040 wrote to memory of 3332 3040 2929.exe 86 PID 3040 wrote to memory of 3332 3040 2929.exe 86 PID 3040 wrote to memory of 3332 3040 2929.exe 86 PID 3040 wrote to memory of 4044 3040 2929.exe 89 PID 3040 wrote to memory of 4044 3040 2929.exe 89 PID 3040 wrote to memory of 4044 3040 2929.exe 89
Processes
-
C:\Users\Admin\AppData\Local\Temp\4de1c5485e4e5193eea571dbc6d0606d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\4de1c5485e4e5193eea571dbc6d0606d_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Users\Admin\AppData\Local\Temp\2929.exe"C:\Users\Admin\AppData\Local\Temp\2929.exe"2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3040 -
C:\Windows\SysWOW64\notepad.exenotepad3⤵
- System Location Discovery: System Language Discovery
PID:3332
-
-
C:\Users\Admin\Documents\MSDCSC\svchost.exe"C:\Users\Admin\Documents\MSDCSC\svchost.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4044
-
-
-
C:\Users\Admin\AppData\Local\Temp\HardDiskSerialNumberChanger.exe"C:\Users\Admin\AppData\Local\Temp\HardDiskSerialNumberChanger.exe"2⤵
- Executes dropped EXE
- Enumerates connected drives
- System Location Discovery: System Language Discovery
PID:2308
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
690KB
MD51c1e287690221213a5a450e099a57c38
SHA13406b8d85028fdd610a656e8bcc792b918576456
SHA2564c4f37f35696c74f98a3eb4231f520f03a1b7d797ff2ef3751ad411f722ef593
SHA5120f669c05d7857fbd68fac19bab740dce81904d7c74531e96f7ddb2ba5fb1d648649cc284fcc03a62a08b47054a0c2e94391fe8bac0e5ec9c592eb441c40441c4
-
Filesize
636KB
MD5c20e96d4e616ce333c19a1c15a1cc137
SHA1f79645ec115130ee59958c55a556f564260b7a9e
SHA2562c141c06f7df57f11ef2c62f2a96093484a65df47065b1a475c53784af0e2664
SHA512519fec9955c4a18e45ec68d9e7dc2bcda74721a6ea088e59e634e26b136bfa15f5efedf8839c036a3cfdcdb9780a2121dc2d71f1fdbbfd3df02d9969e5db753b