Analysis
-
max time kernel
141s -
max time network
155s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
29-11-2024 13:45
Static task
static1
Behavioral task
behavioral1
Sample
b19eda147b532b40f1d44c452644760d_JaffaCakes118.exe
Resource
win7-20241023-en
General
-
Target
b19eda147b532b40f1d44c452644760d_JaffaCakes118.exe
-
Size
933KB
-
MD5
b19eda147b532b40f1d44c452644760d
-
SHA1
d0d43ca58a94af46c4eb0f2f8afcc37b455ed8c8
-
SHA256
f885db8ff4beeb0de5ee6cf22eb6f87890c60496b9fb9fb2d5b5dce4ce4060d4
-
SHA512
a96a1fe4750e289b0981a88972ce349c99d78f169aaf59966e31fc53a3e448fc850849f092756af4cb21770b9e92d776338a3568101d8ad5cfae79c34c5e4dfa
-
SSDEEP
24576:f1WgdwU0MlRDXoGqgnZ58wkZ1B+QtiE8ZRXbXFpF6AcInqti0:9dwUnu8Z56wbE8nXbXFn6AcWui0
Malware Config
Extracted
darkcomet
Guest16
95.133.3.230:1604
DC_MUTEX-D1XJ1Z3
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
UprUuFRJwerw
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Signatures
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" svchost.exe -
Checks computer location settings 2 TTPs 2 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation svchost.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation b19eda147b532b40f1d44c452644760d_JaffaCakes118.exe -
Executes dropped EXE 2 IoCs
pid Process 2060 svchost.exe 3232 msdcsc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b19eda147b532b40f1d44c452644760d_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2060 svchost.exe Token: SeSecurityPrivilege 2060 svchost.exe Token: SeTakeOwnershipPrivilege 2060 svchost.exe Token: SeLoadDriverPrivilege 2060 svchost.exe Token: SeSystemProfilePrivilege 2060 svchost.exe Token: SeSystemtimePrivilege 2060 svchost.exe Token: SeProfSingleProcessPrivilege 2060 svchost.exe Token: SeIncBasePriorityPrivilege 2060 svchost.exe Token: SeCreatePagefilePrivilege 2060 svchost.exe Token: SeBackupPrivilege 2060 svchost.exe Token: SeRestorePrivilege 2060 svchost.exe Token: SeShutdownPrivilege 2060 svchost.exe Token: SeDebugPrivilege 2060 svchost.exe Token: SeSystemEnvironmentPrivilege 2060 svchost.exe Token: SeChangeNotifyPrivilege 2060 svchost.exe Token: SeRemoteShutdownPrivilege 2060 svchost.exe Token: SeUndockPrivilege 2060 svchost.exe Token: SeManageVolumePrivilege 2060 svchost.exe Token: SeImpersonatePrivilege 2060 svchost.exe Token: SeCreateGlobalPrivilege 2060 svchost.exe Token: 33 2060 svchost.exe Token: 34 2060 svchost.exe Token: 35 2060 svchost.exe Token: 36 2060 svchost.exe Token: SeIncreaseQuotaPrivilege 3232 msdcsc.exe Token: SeSecurityPrivilege 3232 msdcsc.exe Token: SeTakeOwnershipPrivilege 3232 msdcsc.exe Token: SeLoadDriverPrivilege 3232 msdcsc.exe Token: SeSystemProfilePrivilege 3232 msdcsc.exe Token: SeSystemtimePrivilege 3232 msdcsc.exe Token: SeProfSingleProcessPrivilege 3232 msdcsc.exe Token: SeIncBasePriorityPrivilege 3232 msdcsc.exe Token: SeCreatePagefilePrivilege 3232 msdcsc.exe Token: SeBackupPrivilege 3232 msdcsc.exe Token: SeRestorePrivilege 3232 msdcsc.exe Token: SeShutdownPrivilege 3232 msdcsc.exe Token: SeDebugPrivilege 3232 msdcsc.exe Token: SeSystemEnvironmentPrivilege 3232 msdcsc.exe Token: SeChangeNotifyPrivilege 3232 msdcsc.exe Token: SeRemoteShutdownPrivilege 3232 msdcsc.exe Token: SeUndockPrivilege 3232 msdcsc.exe Token: SeManageVolumePrivilege 3232 msdcsc.exe Token: SeImpersonatePrivilege 3232 msdcsc.exe Token: SeCreateGlobalPrivilege 3232 msdcsc.exe Token: 33 3232 msdcsc.exe Token: 34 3232 msdcsc.exe Token: 35 3232 msdcsc.exe Token: 36 3232 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3232 msdcsc.exe -
Suspicious use of WriteProcessMemory 6 IoCs
description pid Process procid_target PID 3460 wrote to memory of 2060 3460 b19eda147b532b40f1d44c452644760d_JaffaCakes118.exe 82 PID 3460 wrote to memory of 2060 3460 b19eda147b532b40f1d44c452644760d_JaffaCakes118.exe 82 PID 3460 wrote to memory of 2060 3460 b19eda147b532b40f1d44c452644760d_JaffaCakes118.exe 82 PID 2060 wrote to memory of 3232 2060 svchost.exe 83 PID 2060 wrote to memory of 3232 2060 svchost.exe 83 PID 2060 wrote to memory of 3232 2060 svchost.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\b19eda147b532b40f1d44c452644760d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b19eda147b532b40f1d44c452644760d_JaffaCakes118.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3460 -
C:\Users\Admin\AppData\Local\Temp\svchost.exe"C:\Users\Admin\AppData\Local\Temp\svchost.exe"2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2060 -
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3232
-
-
Network
-
Remote address:8.8.8.8:53Request8.8.8.8.in-addr.arpaIN PTRResponse8.8.8.8.in-addr.arpaIN PTRdnsgoogle
-
Remote address:8.8.8.8:53Request228.249.119.40.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request0.159.190.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.214.232.199.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request95.221.229.192.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request154.239.44.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request28.118.140.52.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request53.210.109.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request198.187.3.20.in-addr.arpaIN PTRResponse
-
Remote address:8.8.8.8:53Request172.210.232.199.in-addr.arpaIN PTRResponse
-
66 B 90 B 1 1
DNS Request
8.8.8.8.in-addr.arpa
-
73 B 159 B 1 1
DNS Request
228.249.119.40.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.214.232.199.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
0.159.190.20.in-addr.arpa
-
73 B 144 B 1 1
DNS Request
95.221.229.192.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
154.239.44.20.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
28.118.140.52.in-addr.arpa
-
72 B 158 B 1 1
DNS Request
53.210.109.20.in-addr.arpa
-
71 B 157 B 1 1
DNS Request
198.187.3.20.in-addr.arpa
-
74 B 128 B 1 1
DNS Request
172.210.232.199.in-addr.arpa
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
658KB
MD533a2e0956d07f887abf20d090dd277d0
SHA1ed46bf4148d2b85d11a08aafe4f970bcc7329c8c
SHA256d9ad6dc34992eaf0e09a6305739171fbc8eaa652a1258ff221dc62e5fa063f39
SHA512634e948fcaf8708055777cb9fa82040e66250974a85eca650981606f77f224760a00c4a48f406a80fac729503765ccdd6e8c50356653d09ffc70bf9e1748da27