Analysis
-
max time kernel
144s -
max time network
147s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
24-10-2024 08:34
Behavioral task
behavioral1
Sample
73018a1aa0b4d66d12ee4ff787661ec8_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
15 signatures
150 seconds
General
-
Target
73018a1aa0b4d66d12ee4ff787661ec8_JaffaCakes118.exe
-
Size
251KB
-
MD5
73018a1aa0b4d66d12ee4ff787661ec8
-
SHA1
f9cfdad26472b08d7d70fdb72a25069b37f879e9
-
SHA256
d8921998e196dead7ac38e135f96d4e25179b6cf5f14ae1e95859fbc808d93dd
-
SHA512
68f80ce40e5c932b0d0c52e656e2b9ea0d5528242e3624c9f0baf7384d73779f30bbca46e535c564f7fd6a5aea03a093a3b745f299aa17017737a2b3bf65260d
-
SSDEEP
6144:QcNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37b:QcW7KEZlPzCy37
Malware Config
Extracted
Family
darkcomet
Botnet
us
C2
199.217.119.58:5730
Mutex
DC_MUTEX-B4KEQ1P
Attributes
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
lM7FNnVLabB9
-
install
true
-
offline_keylogger
true
-
password
geli9988
-
persistence
false
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
73018a1aa0b4d66d12ee4ff787661ec8_JaffaCakes118.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 73018a1aa0b4d66d12ee4ff787661ec8_JaffaCakes118.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid Process 3228 attrib.exe 2876 attrib.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
73018a1aa0b4d66d12ee4ff787661ec8_JaffaCakes118.exedescription ioc Process Key value queried \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\Control Panel\International\Geo\Nation 73018a1aa0b4d66d12ee4ff787661ec8_JaffaCakes118.exe -
Deletes itself 1 IoCs
Processes:
notepad.exepid Process 4456 notepad.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid Process 4984 msdcsc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
73018a1aa0b4d66d12ee4ff787661ec8_JaffaCakes118.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-493223053-2004649691-1575712786-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 73018a1aa0b4d66d12ee4ff787661ec8_JaffaCakes118.exe -
Processes:
resource yara_rule behavioral2/memory/1632-0-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/files/0x0007000000023ce4-7.dat upx behavioral2/memory/1632-64-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4984-66-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4984-68-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4984-70-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4984-72-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/4984-74-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
Processes:
notepad.execmd.execmd.exeattrib.exeattrib.exemsdcsc.exe73018a1aa0b4d66d12ee4ff787661ec8_JaffaCakes118.exedescription ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 73018a1aa0b4d66d12ee4ff787661ec8_JaffaCakes118.exe -
Modifies registry class 1 IoCs
Processes:
73018a1aa0b4d66d12ee4ff787661ec8_JaffaCakes118.exedescription ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 73018a1aa0b4d66d12ee4ff787661ec8_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
msdcsc.exepid Process 4984 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
73018a1aa0b4d66d12ee4ff787661ec8_JaffaCakes118.exemsdcsc.exedescription pid Process Token: SeIncreaseQuotaPrivilege 1632 73018a1aa0b4d66d12ee4ff787661ec8_JaffaCakes118.exe Token: SeSecurityPrivilege 1632 73018a1aa0b4d66d12ee4ff787661ec8_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 1632 73018a1aa0b4d66d12ee4ff787661ec8_JaffaCakes118.exe Token: SeLoadDriverPrivilege 1632 73018a1aa0b4d66d12ee4ff787661ec8_JaffaCakes118.exe Token: SeSystemProfilePrivilege 1632 73018a1aa0b4d66d12ee4ff787661ec8_JaffaCakes118.exe Token: SeSystemtimePrivilege 1632 73018a1aa0b4d66d12ee4ff787661ec8_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 1632 73018a1aa0b4d66d12ee4ff787661ec8_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 1632 73018a1aa0b4d66d12ee4ff787661ec8_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 1632 73018a1aa0b4d66d12ee4ff787661ec8_JaffaCakes118.exe Token: SeBackupPrivilege 1632 73018a1aa0b4d66d12ee4ff787661ec8_JaffaCakes118.exe Token: SeRestorePrivilege 1632 73018a1aa0b4d66d12ee4ff787661ec8_JaffaCakes118.exe Token: SeShutdownPrivilege 1632 73018a1aa0b4d66d12ee4ff787661ec8_JaffaCakes118.exe Token: SeDebugPrivilege 1632 73018a1aa0b4d66d12ee4ff787661ec8_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 1632 73018a1aa0b4d66d12ee4ff787661ec8_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 1632 73018a1aa0b4d66d12ee4ff787661ec8_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 1632 73018a1aa0b4d66d12ee4ff787661ec8_JaffaCakes118.exe Token: SeUndockPrivilege 1632 73018a1aa0b4d66d12ee4ff787661ec8_JaffaCakes118.exe Token: SeManageVolumePrivilege 1632 73018a1aa0b4d66d12ee4ff787661ec8_JaffaCakes118.exe Token: SeImpersonatePrivilege 1632 73018a1aa0b4d66d12ee4ff787661ec8_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 1632 73018a1aa0b4d66d12ee4ff787661ec8_JaffaCakes118.exe Token: 33 1632 73018a1aa0b4d66d12ee4ff787661ec8_JaffaCakes118.exe Token: 34 1632 73018a1aa0b4d66d12ee4ff787661ec8_JaffaCakes118.exe Token: 35 1632 73018a1aa0b4d66d12ee4ff787661ec8_JaffaCakes118.exe Token: 36 1632 73018a1aa0b4d66d12ee4ff787661ec8_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 4984 msdcsc.exe Token: SeSecurityPrivilege 4984 msdcsc.exe Token: SeTakeOwnershipPrivilege 4984 msdcsc.exe Token: SeLoadDriverPrivilege 4984 msdcsc.exe Token: SeSystemProfilePrivilege 4984 msdcsc.exe Token: SeSystemtimePrivilege 4984 msdcsc.exe Token: SeProfSingleProcessPrivilege 4984 msdcsc.exe Token: SeIncBasePriorityPrivilege 4984 msdcsc.exe Token: SeCreatePagefilePrivilege 4984 msdcsc.exe Token: SeBackupPrivilege 4984 msdcsc.exe Token: SeRestorePrivilege 4984 msdcsc.exe Token: SeShutdownPrivilege 4984 msdcsc.exe Token: SeDebugPrivilege 4984 msdcsc.exe Token: SeSystemEnvironmentPrivilege 4984 msdcsc.exe Token: SeChangeNotifyPrivilege 4984 msdcsc.exe Token: SeRemoteShutdownPrivilege 4984 msdcsc.exe Token: SeUndockPrivilege 4984 msdcsc.exe Token: SeManageVolumePrivilege 4984 msdcsc.exe Token: SeImpersonatePrivilege 4984 msdcsc.exe Token: SeCreateGlobalPrivilege 4984 msdcsc.exe Token: 33 4984 msdcsc.exe Token: 34 4984 msdcsc.exe Token: 35 4984 msdcsc.exe Token: 36 4984 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid Process 4984 msdcsc.exe -
Suspicious use of WriteProcessMemory 32 IoCs
Processes:
73018a1aa0b4d66d12ee4ff787661ec8_JaffaCakes118.execmd.execmd.exedescription pid Process procid_target PID 1632 wrote to memory of 1652 1632 73018a1aa0b4d66d12ee4ff787661ec8_JaffaCakes118.exe 86 PID 1632 wrote to memory of 1652 1632 73018a1aa0b4d66d12ee4ff787661ec8_JaffaCakes118.exe 86 PID 1632 wrote to memory of 1652 1632 73018a1aa0b4d66d12ee4ff787661ec8_JaffaCakes118.exe 86 PID 1632 wrote to memory of 3176 1632 73018a1aa0b4d66d12ee4ff787661ec8_JaffaCakes118.exe 87 PID 1632 wrote to memory of 3176 1632 73018a1aa0b4d66d12ee4ff787661ec8_JaffaCakes118.exe 87 PID 1632 wrote to memory of 3176 1632 73018a1aa0b4d66d12ee4ff787661ec8_JaffaCakes118.exe 87 PID 1632 wrote to memory of 4456 1632 73018a1aa0b4d66d12ee4ff787661ec8_JaffaCakes118.exe 89 PID 1632 wrote to memory of 4456 1632 73018a1aa0b4d66d12ee4ff787661ec8_JaffaCakes118.exe 89 PID 1632 wrote to memory of 4456 1632 73018a1aa0b4d66d12ee4ff787661ec8_JaffaCakes118.exe 89 PID 1632 wrote to memory of 4456 1632 73018a1aa0b4d66d12ee4ff787661ec8_JaffaCakes118.exe 89 PID 1632 wrote to memory of 4456 1632 73018a1aa0b4d66d12ee4ff787661ec8_JaffaCakes118.exe 89 PID 1632 wrote to memory of 4456 1632 73018a1aa0b4d66d12ee4ff787661ec8_JaffaCakes118.exe 89 PID 1632 wrote to memory of 4456 1632 73018a1aa0b4d66d12ee4ff787661ec8_JaffaCakes118.exe 89 PID 1632 wrote to memory of 4456 1632 73018a1aa0b4d66d12ee4ff787661ec8_JaffaCakes118.exe 89 PID 1632 wrote to memory of 4456 1632 73018a1aa0b4d66d12ee4ff787661ec8_JaffaCakes118.exe 89 PID 1632 wrote to memory of 4456 1632 73018a1aa0b4d66d12ee4ff787661ec8_JaffaCakes118.exe 89 PID 1632 wrote to memory of 4456 1632 73018a1aa0b4d66d12ee4ff787661ec8_JaffaCakes118.exe 89 PID 1632 wrote to memory of 4456 1632 73018a1aa0b4d66d12ee4ff787661ec8_JaffaCakes118.exe 89 PID 1632 wrote to memory of 4456 1632 73018a1aa0b4d66d12ee4ff787661ec8_JaffaCakes118.exe 89 PID 1632 wrote to memory of 4456 1632 73018a1aa0b4d66d12ee4ff787661ec8_JaffaCakes118.exe 89 PID 1632 wrote to memory of 4456 1632 73018a1aa0b4d66d12ee4ff787661ec8_JaffaCakes118.exe 89 PID 1632 wrote to memory of 4456 1632 73018a1aa0b4d66d12ee4ff787661ec8_JaffaCakes118.exe 89 PID 1632 wrote to memory of 4456 1632 73018a1aa0b4d66d12ee4ff787661ec8_JaffaCakes118.exe 89 PID 1652 wrote to memory of 3228 1652 cmd.exe 91 PID 1652 wrote to memory of 3228 1652 cmd.exe 91 PID 1652 wrote to memory of 3228 1652 cmd.exe 91 PID 3176 wrote to memory of 2876 3176 cmd.exe 92 PID 3176 wrote to memory of 2876 3176 cmd.exe 92 PID 3176 wrote to memory of 2876 3176 cmd.exe 92 PID 1632 wrote to memory of 4984 1632 73018a1aa0b4d66d12ee4ff787661ec8_JaffaCakes118.exe 94 PID 1632 wrote to memory of 4984 1632 73018a1aa0b4d66d12ee4ff787661ec8_JaffaCakes118.exe 94 PID 1632 wrote to memory of 4984 1632 73018a1aa0b4d66d12ee4ff787661ec8_JaffaCakes118.exe 94 -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid Process 3228 attrib.exe 2876 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\73018a1aa0b4d66d12ee4ff787661ec8_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\73018a1aa0b4d66d12ee4ff787661ec8_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1632 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\73018a1aa0b4d66d12ee4ff787661ec8_JaffaCakes118.exe" +s +h2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1652 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\73018a1aa0b4d66d12ee4ff787661ec8_JaffaCakes118.exe" +s +h3⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:3228
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3176 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2876
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:4456
-
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:4984
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
251KB
MD573018a1aa0b4d66d12ee4ff787661ec8
SHA1f9cfdad26472b08d7d70fdb72a25069b37f879e9
SHA256d8921998e196dead7ac38e135f96d4e25179b6cf5f14ae1e95859fbc808d93dd
SHA51268f80ce40e5c932b0d0c52e656e2b9ea0d5528242e3624c9f0baf7384d73779f30bbca46e535c564f7fd6a5aea03a093a3b745f299aa17017737a2b3bf65260d