Analysis Overview
SHA256
dc4a8fc218f79aea3d18b9326717d5a219c154a6aa6f3a4f7ef258023ebc0692
Threat Level: Known bad
The file 7d90f7a105098f45110f71e7c5acf0d1_JaffaCakes118 was found to be: Known bad.
Malicious Activity Summary
Darkcomet
Modifies WinLogon for persistence
Darkcomet family
Sets file to hidden
Loads dropped DLL
Executes dropped EXE
Checks computer location settings
Uses the VBS compiler for execution
Adds Run key to start application
Suspicious use of SetThreadContext
Drops file in Windows directory
Unsigned PE
Enumerates physical storage devices
System Location Discovery: System Language Discovery
Program crash
Views/modifies file attributes
Modifies registry class
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
MITRE ATT&CK
Enterprise Matrix V15
Analysis: static1
Detonation Overview
Reported
2024-10-30 02:17
Signatures
Unsigned PE
| Description | Indicator | Process | Target |
| N/A | N/A | N/A | N/A |
Analysis: behavioral1
Detonation Overview
Submitted
2024-10-30 02:17
Reported
2024-10-30 02:22
Platform
win7-20240708-en
Max time kernel
119s
Max time network
121s
Command Line
Signatures
Darkcomet
Darkcomet family
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\My Application.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TASKMGR.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe | N/A |
Loads dropped DLL
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\7d90f7a105098f45110f71e7c5acf0d1_JaffaCakes118.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-3551809350-4263495960-1443967649-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 2332 set thread context of 2340 | N/A | C:\Users\Admin\AppData\Local\Temp\7d90f7a105098f45110f71e7c5acf0d1_JaffaCakes118.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v2.0.50727 | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | C:\Windows\SysWOW64\attrib.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\TASKMGR.EXE |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7d90f7a105098f45110f71e7c5acf0d1_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\My Application.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\TASKMGR.EXE | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\7d90f7a105098f45110f71e7c5acf0d1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7d90f7a105098f45110f71e7c5acf0d1_JaffaCakes118.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Users\Admin\AppData\Local\Temp\My Application.exe
"C:\Users\Admin\AppData\Local\Temp\My Application.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h
C:\Users\Admin\AppData\Local\Temp\TASKMGR.EXE
"C:\Users\Admin\AppData\Local\Temp\TASKMGR.EXE"
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
"C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 1600 -s 1056
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | automation.whatismyip.com | udp |
| N/A | 127.0.0.1:80 | tcp |
Files
memory/2332-0-0x0000000074F21000-0x0000000074F22000-memory.dmp
memory/2332-1-0x0000000074F20000-0x00000000754CB000-memory.dmp
memory/2332-2-0x0000000074F20000-0x00000000754CB000-memory.dmp
memory/2340-3-0x0000000000400000-0x0000000000531000-memory.dmp
memory/2340-8-0x0000000000400000-0x0000000000531000-memory.dmp
memory/2340-14-0x0000000000400000-0x0000000000531000-memory.dmp
memory/2340-17-0x0000000000400000-0x0000000000531000-memory.dmp
memory/2340-12-0x000000007EFDE000-0x000000007EFDF000-memory.dmp
memory/2340-11-0x0000000000400000-0x0000000000531000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\My Application.exe
| MD5 | e031e5491425690d44aa78fd354369be |
| SHA1 | 476247963de5cb437a74b4e4998d7481300a6e4f |
| SHA256 | fdbe83346b24ddb37c3d8ffb13c58e3249990f85afaf1bbf27cfcfb3096f095c |
| SHA512 | f1d42d4a5ebb9983588922175b51f720988771239ab79566de32ae26cd649cfeee8085a11ea67a31aaebdee52ca17e54edb5f9c9e2ec3c4128da143747f0f373 |
memory/2340-23-0x0000000000280000-0x0000000000281000-memory.dmp
memory/2332-24-0x0000000074F20000-0x00000000754CB000-memory.dmp
memory/2340-10-0x0000000000400000-0x0000000000531000-memory.dmp
memory/2340-9-0x0000000000400000-0x0000000000531000-memory.dmp
memory/2340-15-0x0000000000400000-0x0000000000531000-memory.dmp
memory/2340-7-0x0000000000400000-0x0000000000531000-memory.dmp
memory/2340-6-0x0000000000400000-0x0000000000531000-memory.dmp
memory/2340-5-0x0000000000400000-0x0000000000531000-memory.dmp
\Users\Admin\AppData\Local\Temp\TASKMGR.EXE
| MD5 | 89d3827b3bf71a62537e026285407a70 |
| SHA1 | 90fa59f8f1312b1dca2b0a03ee9c5ba20ad4df6f |
| SHA256 | ecdfb702317472c6e9e6c91fbbdd0488a8024fdf215961c15d0cacd91258ada1 |
| SHA512 | 73a664fd9fa45a0d2d9c13017e2c3e762beaad85544550849855494548ebf6e8d62a4fd942e2aa61f9d1cac043774153be1d32957d095ef3b7d286bc8bed2943 |
memory/1600-34-0x0000000000960000-0x00000000009E6000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
| MD5 | 34aa912defa18c2c129f1e09d75c1d7e |
| SHA1 | 9c3046324657505a30ecd9b1fdb46c05bde7d470 |
| SHA256 | 6df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386 |
| SHA512 | d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98 |
memory/2340-41-0x0000000000400000-0x0000000000531000-memory.dmp
Analysis: behavioral2
Detonation Overview
Submitted
2024-10-30 02:17
Reported
2024-10-30 02:23
Platform
win10v2004-20241007-en
Max time kernel
148s
Max time network
152s
Command Line
Signatures
Darkcomet
Darkcomet family
Modifies WinLogon for persistence
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Sets file to hidden
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Checks computer location settings
| Description | Indicator | Process | Target |
| Key value queried | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\Control Panel\International\Geo\Nation | C:\Users\Admin\AppData\Local\Temp\7d90f7a105098f45110f71e7c5acf0d1_JaffaCakes118.exe | N/A |
Executes dropped EXE
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\My Application.exe | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\TASKMGR.EXE | N/A |
| N/A | N/A | C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe | N/A |
Uses the VBS compiler for execution
Adds Run key to start application
| Description | Indicator | Process | Target |
| Set value (str) | \REGISTRY\USER\S-1-5-21-4089630652-1596403869-279772308-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Local\\Temp\\MSDCSC\\msdcsc.exe" | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious use of SetThreadContext
| Description | Indicator | Process | Target |
| PID 3092 set thread context of 3508 | N/A | C:\Users\Admin\AppData\Local\Temp\7d90f7a105098f45110f71e7c5acf0d1_JaffaCakes118.exe | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe |
Drops file in Windows directory
| Description | Indicator | Process | Target |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v2.0.50727 | C:\Windows\SysWOW64\attrib.exe | N/A |
| File opened for modification | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | C:\Windows\SysWOW64\attrib.exe | N/A |
Enumerates physical storage devices
Program crash
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\WerFault.exe | C:\Users\Admin\AppData\Local\Temp\TASKMGR.EXE |
System Location Discovery: System Language Discovery
| Description | Indicator | Process | Target |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\My Application.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\cmd.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\SysWOW64\attrib.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\7d90f7a105098f45110f71e7c5acf0d1_JaffaCakes118.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
| Key opened | \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language | C:\Users\Admin\AppData\Local\Temp\TASKMGR.EXE | N/A |
Modifies registry class
| Description | Indicator | Process | Target |
| Key created | \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ | C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe | N/A |
Suspicious use of AdjustPrivilegeToken
Suspicious use of WriteProcessMemory
Views/modifies file attributes
| Description | Indicator | Process | Target |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
| N/A | N/A | C:\Windows\SysWOW64\attrib.exe | N/A |
Processes
C:\Users\Admin\AppData\Local\Temp\7d90f7a105098f45110f71e7c5acf0d1_JaffaCakes118.exe
"C:\Users\Admin\AppData\Local\Temp\7d90f7a105098f45110f71e7c5acf0d1_JaffaCakes118.exe"
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h
C:\Users\Admin\AppData\Local\Temp\My Application.exe
"C:\Users\Admin\AppData\Local\Temp\My Application.exe"
C:\Windows\SysWOW64\cmd.exe
"C:\Windows\System32\cmd.exe" /k attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h
C:\Users\Admin\AppData\Local\Temp\TASKMGR.EXE
"C:\Users\Admin\AppData\Local\Temp\TASKMGR.EXE"
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" +s +h
C:\Windows\SysWOW64\attrib.exe
attrib "C:\Windows\Microsoft.NET\Framework\v2.0.50727" +s +h
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
"C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe"
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -pss -s 368 -p 404 -ip 404
C:\Windows\SysWOW64\WerFault.exe
C:\Windows\SysWOW64\WerFault.exe -u -p 404 -s 1516
Network
| Country | Destination | Domain | Proto |
| US | 8.8.8.8:53 | g.bing.com | udp |
| US | 150.171.27.10:443 | g.bing.com | tcp |
| US | 8.8.8.8:53 | 97.17.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 10.27.171.150.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 95.221.229.192.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 23.159.190.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 79.190.18.2.in-addr.arpa | udp |
| US | 8.8.8.8:53 | automation.whatismyip.com | udp |
| N/A | 127.0.0.1:80 | tcp | |
| US | 8.8.8.8:53 | 196.249.167.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 149.220.183.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 212.20.149.52.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 171.39.242.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | 88.156.103.20.in-addr.arpa | udp |
| US | 8.8.8.8:53 | tse1.mm.bing.net | udp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
| US | 150.171.28.10:443 | tse1.mm.bing.net | tcp |
Files
memory/3092-0-0x0000000074932000-0x0000000074933000-memory.dmp
memory/3092-1-0x0000000074930000-0x0000000074EE1000-memory.dmp
memory/3092-2-0x0000000074930000-0x0000000074EE1000-memory.dmp
memory/3508-3-0x0000000000400000-0x0000000000531000-memory.dmp
memory/3508-4-0x0000000000400000-0x0000000000531000-memory.dmp
memory/3508-5-0x0000000000400000-0x0000000000531000-memory.dmp
memory/3508-6-0x0000000000400000-0x0000000000531000-memory.dmp
memory/3508-8-0x0000000000400000-0x0000000000531000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\My Application.exe
| MD5 | e031e5491425690d44aa78fd354369be |
| SHA1 | 476247963de5cb437a74b4e4998d7481300a6e4f |
| SHA256 | fdbe83346b24ddb37c3d8ffb13c58e3249990f85afaf1bbf27cfcfb3096f095c |
| SHA512 | f1d42d4a5ebb9983588922175b51f720988771239ab79566de32ae26cd649cfeee8085a11ea67a31aaebdee52ca17e54edb5f9c9e2ec3c4128da143747f0f373 |
C:\Users\Admin\AppData\Local\Temp\TASKMGR.EXE
| MD5 | 89d3827b3bf71a62537e026285407a70 |
| SHA1 | 90fa59f8f1312b1dca2b0a03ee9c5ba20ad4df6f |
| SHA256 | ecdfb702317472c6e9e6c91fbbdd0488a8024fdf215961c15d0cacd91258ada1 |
| SHA512 | 73a664fd9fa45a0d2d9c13017e2c3e762beaad85544550849855494548ebf6e8d62a4fd942e2aa61f9d1cac043774153be1d32957d095ef3b7d286bc8bed2943 |
memory/3092-31-0x0000000074930000-0x0000000074EE1000-memory.dmp
memory/404-34-0x0000000000D30000-0x0000000000DB6000-memory.dmp
memory/404-35-0x0000000005710000-0x0000000005CB4000-memory.dmp
memory/404-36-0x0000000005020000-0x00000000050BC000-memory.dmp
memory/404-37-0x0000000005200000-0x0000000005292000-memory.dmp
C:\Users\Admin\AppData\Local\Temp\MSDCSC\msdcsc.exe
| MD5 | d881de17aa8f2e2c08cbb7b265f928f9 |
| SHA1 | 08936aebc87decf0af6e8eada191062b5e65ac2a |
| SHA256 | b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0 |
| SHA512 | 5f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34 |
memory/3508-96-0x0000000000400000-0x0000000000531000-memory.dmp