Analysis
-
max time kernel
150s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
02-12-2024 16:13
Behavioral task
behavioral1
Sample
b914850eafbba9504aaf7e67869db6b3_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
14 signatures
150 seconds
General
-
Target
b914850eafbba9504aaf7e67869db6b3_JaffaCakes118.exe
-
Size
658KB
-
MD5
b914850eafbba9504aaf7e67869db6b3
-
SHA1
ed69e6b955cdccf38969da227afa9a7f5e6eeb7c
-
SHA256
f388fa32e08efa8d9e6225e525b8139f8310fae9bdc4d8bd7118d0cb6333ee60
-
SHA512
76822f95bc109294d5a2dbe7bdb316623ea10a9ae41fc6530fe45e9f5d7067ed7b4202ab572a6905b383cd05612f954696115030640cc8430988d726ea1eed6d
-
SSDEEP
12288:e9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hK:qZ1xuVVjfFoynPaVBUR8f+kN10EBA
Malware Config
Extracted
Family
darkcomet
Botnet
dark
C2
mido55.no-ip.org:1178
Mutex
DC_MUTEX-KBTL6GG
Attributes
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
CCArAs9RNT1c
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Signatures
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" b914850eafbba9504aaf7e67869db6b3_JaffaCakes118.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 3136 attrib.exe 1652 attrib.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\Control Panel\International\Geo\Nation b914850eafbba9504aaf7e67869db6b3_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 3732 msdcsc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2878641211-696417878-3864914810-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" b914850eafbba9504aaf7e67869db6b3_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language b914850eafbba9504aaf7e67869db6b3_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ b914850eafbba9504aaf7e67869db6b3_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3732 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 4544 b914850eafbba9504aaf7e67869db6b3_JaffaCakes118.exe Token: SeSecurityPrivilege 4544 b914850eafbba9504aaf7e67869db6b3_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 4544 b914850eafbba9504aaf7e67869db6b3_JaffaCakes118.exe Token: SeLoadDriverPrivilege 4544 b914850eafbba9504aaf7e67869db6b3_JaffaCakes118.exe Token: SeSystemProfilePrivilege 4544 b914850eafbba9504aaf7e67869db6b3_JaffaCakes118.exe Token: SeSystemtimePrivilege 4544 b914850eafbba9504aaf7e67869db6b3_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 4544 b914850eafbba9504aaf7e67869db6b3_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 4544 b914850eafbba9504aaf7e67869db6b3_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 4544 b914850eafbba9504aaf7e67869db6b3_JaffaCakes118.exe Token: SeBackupPrivilege 4544 b914850eafbba9504aaf7e67869db6b3_JaffaCakes118.exe Token: SeRestorePrivilege 4544 b914850eafbba9504aaf7e67869db6b3_JaffaCakes118.exe Token: SeShutdownPrivilege 4544 b914850eafbba9504aaf7e67869db6b3_JaffaCakes118.exe Token: SeDebugPrivilege 4544 b914850eafbba9504aaf7e67869db6b3_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 4544 b914850eafbba9504aaf7e67869db6b3_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 4544 b914850eafbba9504aaf7e67869db6b3_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 4544 b914850eafbba9504aaf7e67869db6b3_JaffaCakes118.exe Token: SeUndockPrivilege 4544 b914850eafbba9504aaf7e67869db6b3_JaffaCakes118.exe Token: SeManageVolumePrivilege 4544 b914850eafbba9504aaf7e67869db6b3_JaffaCakes118.exe Token: SeImpersonatePrivilege 4544 b914850eafbba9504aaf7e67869db6b3_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 4544 b914850eafbba9504aaf7e67869db6b3_JaffaCakes118.exe Token: 33 4544 b914850eafbba9504aaf7e67869db6b3_JaffaCakes118.exe Token: 34 4544 b914850eafbba9504aaf7e67869db6b3_JaffaCakes118.exe Token: 35 4544 b914850eafbba9504aaf7e67869db6b3_JaffaCakes118.exe Token: 36 4544 b914850eafbba9504aaf7e67869db6b3_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 3732 msdcsc.exe Token: SeSecurityPrivilege 3732 msdcsc.exe Token: SeTakeOwnershipPrivilege 3732 msdcsc.exe Token: SeLoadDriverPrivilege 3732 msdcsc.exe Token: SeSystemProfilePrivilege 3732 msdcsc.exe Token: SeSystemtimePrivilege 3732 msdcsc.exe Token: SeProfSingleProcessPrivilege 3732 msdcsc.exe Token: SeIncBasePriorityPrivilege 3732 msdcsc.exe Token: SeCreatePagefilePrivilege 3732 msdcsc.exe Token: SeBackupPrivilege 3732 msdcsc.exe Token: SeRestorePrivilege 3732 msdcsc.exe Token: SeShutdownPrivilege 3732 msdcsc.exe Token: SeDebugPrivilege 3732 msdcsc.exe Token: SeSystemEnvironmentPrivilege 3732 msdcsc.exe Token: SeChangeNotifyPrivilege 3732 msdcsc.exe Token: SeRemoteShutdownPrivilege 3732 msdcsc.exe Token: SeUndockPrivilege 3732 msdcsc.exe Token: SeManageVolumePrivilege 3732 msdcsc.exe Token: SeImpersonatePrivilege 3732 msdcsc.exe Token: SeCreateGlobalPrivilege 3732 msdcsc.exe Token: 33 3732 msdcsc.exe Token: 34 3732 msdcsc.exe Token: 35 3732 msdcsc.exe Token: 36 3732 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3732 msdcsc.exe -
Suspicious use of WriteProcessMemory 37 IoCs
description pid Process procid_target PID 4544 wrote to memory of 960 4544 b914850eafbba9504aaf7e67869db6b3_JaffaCakes118.exe 83 PID 4544 wrote to memory of 960 4544 b914850eafbba9504aaf7e67869db6b3_JaffaCakes118.exe 83 PID 4544 wrote to memory of 960 4544 b914850eafbba9504aaf7e67869db6b3_JaffaCakes118.exe 83 PID 4544 wrote to memory of 3044 4544 b914850eafbba9504aaf7e67869db6b3_JaffaCakes118.exe 85 PID 4544 wrote to memory of 3044 4544 b914850eafbba9504aaf7e67869db6b3_JaffaCakes118.exe 85 PID 4544 wrote to memory of 3044 4544 b914850eafbba9504aaf7e67869db6b3_JaffaCakes118.exe 85 PID 3044 wrote to memory of 3136 3044 cmd.exe 87 PID 3044 wrote to memory of 3136 3044 cmd.exe 87 PID 3044 wrote to memory of 3136 3044 cmd.exe 87 PID 960 wrote to memory of 1652 960 cmd.exe 88 PID 960 wrote to memory of 1652 960 cmd.exe 88 PID 960 wrote to memory of 1652 960 cmd.exe 88 PID 4544 wrote to memory of 3732 4544 b914850eafbba9504aaf7e67869db6b3_JaffaCakes118.exe 89 PID 4544 wrote to memory of 3732 4544 b914850eafbba9504aaf7e67869db6b3_JaffaCakes118.exe 89 PID 4544 wrote to memory of 3732 4544 b914850eafbba9504aaf7e67869db6b3_JaffaCakes118.exe 89 PID 3732 wrote to memory of 1916 3732 msdcsc.exe 90 PID 3732 wrote to memory of 1916 3732 msdcsc.exe 90 PID 3732 wrote to memory of 1916 3732 msdcsc.exe 90 PID 3732 wrote to memory of 1916 3732 msdcsc.exe 90 PID 3732 wrote to memory of 1916 3732 msdcsc.exe 90 PID 3732 wrote to memory of 1916 3732 msdcsc.exe 90 PID 3732 wrote to memory of 1916 3732 msdcsc.exe 90 PID 3732 wrote to memory of 1916 3732 msdcsc.exe 90 PID 3732 wrote to memory of 1916 3732 msdcsc.exe 90 PID 3732 wrote to memory of 1916 3732 msdcsc.exe 90 PID 3732 wrote to memory of 1916 3732 msdcsc.exe 90 PID 3732 wrote to memory of 1916 3732 msdcsc.exe 90 PID 3732 wrote to memory of 1916 3732 msdcsc.exe 90 PID 3732 wrote to memory of 1916 3732 msdcsc.exe 90 PID 3732 wrote to memory of 1916 3732 msdcsc.exe 90 PID 3732 wrote to memory of 1916 3732 msdcsc.exe 90 PID 3732 wrote to memory of 1916 3732 msdcsc.exe 90 PID 3732 wrote to memory of 1916 3732 msdcsc.exe 90 PID 3732 wrote to memory of 1916 3732 msdcsc.exe 90 PID 3732 wrote to memory of 1916 3732 msdcsc.exe 90 PID 3732 wrote to memory of 1916 3732 msdcsc.exe 90 PID 3732 wrote to memory of 1916 3732 msdcsc.exe 90 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 3136 attrib.exe 1652 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\b914850eafbba9504aaf7e67869db6b3_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\b914850eafbba9504aaf7e67869db6b3_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4544 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\b914850eafbba9504aaf7e67869db6b3_JaffaCakes118.exe" +s +h2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:960 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\b914850eafbba9504aaf7e67869db6b3_JaffaCakes118.exe" +s +h3⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1652
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3044 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:3136
-
-
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3732 -
C:\Windows\SysWOW64\notepad.exenotepad3⤵
- System Location Discovery: System Language Discovery
PID:1916
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
658KB
MD5b914850eafbba9504aaf7e67869db6b3
SHA1ed69e6b955cdccf38969da227afa9a7f5e6eeb7c
SHA256f388fa32e08efa8d9e6225e525b8139f8310fae9bdc4d8bd7118d0cb6333ee60
SHA51276822f95bc109294d5a2dbe7bdb316623ea10a9ae41fc6530fe45e9f5d7067ed7b4202ab572a6905b383cd05612f954696115030640cc8430988d726ea1eed6d