Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows7_x64 -
resource
win7-20240903-en -
resource tags
arch:x64arch:x86image:win7-20240903-enlocale:en-usos:windows7-x64system -
submitted
03-12-2024 15:40
Behavioral task
behavioral1
Sample
be120e8100e8c055cb064f11c520dac4_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
21 signatures
150 seconds
General
-
Target
be120e8100e8c055cb064f11c520dac4_JaffaCakes118.exe
-
Size
681KB
-
MD5
be120e8100e8c055cb064f11c520dac4
-
SHA1
86f20ff0700aed633b8395a907033412c744146e
-
SHA256
d8fb1d97c11512623a7a031706af0db394d45043d9f1130153ad7fb7b4295dbb
-
SHA512
0668d35a1f96b49c7fe1188794dc84909b8a796adec28286073c4c8e8b978c965275903348614c4318727f0211e44feec3bb031bfd04ee6342ae81305582edc8
-
SSDEEP
12288:69HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hO:2Z1xuVVjfFoynPaVBUR8f+kN10EBA
Malware Config
Extracted
Family
darkcomet
Botnet
Guest16
C2
amanj.no-ip.biz:1604
amanjhawlere.no-ip.biz:1604
Mutex
DC_MUTEX-N3GNXE8
Attributes
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
7yDEHkqf9CLX
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" be120e8100e8c055cb064f11c520dac4_JaffaCakes118.exe -
Modifies firewall policy service 3 TTPs 6 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" msdcsc.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile iexplore.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" iexplore.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" iexplore.exe -
Modifies security service 2 TTPs 2 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" msdcsc.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" iexplore.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" iexplore.exe -
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" msdcsc.exe Set value (int) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" iexplore.exe -
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 2576 attrib.exe -
Deletes itself 1 IoCs
pid Process 2748 notepad.exe -
Executes dropped EXE 1 IoCs
pid Process 2568 msdcsc.exe -
Loads dropped DLL 2 IoCs
pid Process 2288 be120e8100e8c055cb064f11c520dac4_JaffaCakes118.exe 2288 be120e8100e8c055cb064f11c520dac4_JaffaCakes118.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" be120e8100e8c055cb064f11c520dac4_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-3290804112-2823094203-3137964600-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" iexplore.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2568 set thread context of 2768 2568 msdcsc.exe 35 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language be120e8100e8c055cb064f11c520dac4_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iexplore.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2768 iexplore.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2288 be120e8100e8c055cb064f11c520dac4_JaffaCakes118.exe Token: SeSecurityPrivilege 2288 be120e8100e8c055cb064f11c520dac4_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 2288 be120e8100e8c055cb064f11c520dac4_JaffaCakes118.exe Token: SeLoadDriverPrivilege 2288 be120e8100e8c055cb064f11c520dac4_JaffaCakes118.exe Token: SeSystemProfilePrivilege 2288 be120e8100e8c055cb064f11c520dac4_JaffaCakes118.exe Token: SeSystemtimePrivilege 2288 be120e8100e8c055cb064f11c520dac4_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 2288 be120e8100e8c055cb064f11c520dac4_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2288 be120e8100e8c055cb064f11c520dac4_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 2288 be120e8100e8c055cb064f11c520dac4_JaffaCakes118.exe Token: SeBackupPrivilege 2288 be120e8100e8c055cb064f11c520dac4_JaffaCakes118.exe Token: SeRestorePrivilege 2288 be120e8100e8c055cb064f11c520dac4_JaffaCakes118.exe Token: SeShutdownPrivilege 2288 be120e8100e8c055cb064f11c520dac4_JaffaCakes118.exe Token: SeDebugPrivilege 2288 be120e8100e8c055cb064f11c520dac4_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 2288 be120e8100e8c055cb064f11c520dac4_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 2288 be120e8100e8c055cb064f11c520dac4_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 2288 be120e8100e8c055cb064f11c520dac4_JaffaCakes118.exe Token: SeUndockPrivilege 2288 be120e8100e8c055cb064f11c520dac4_JaffaCakes118.exe Token: SeManageVolumePrivilege 2288 be120e8100e8c055cb064f11c520dac4_JaffaCakes118.exe Token: SeImpersonatePrivilege 2288 be120e8100e8c055cb064f11c520dac4_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 2288 be120e8100e8c055cb064f11c520dac4_JaffaCakes118.exe Token: 33 2288 be120e8100e8c055cb064f11c520dac4_JaffaCakes118.exe Token: 34 2288 be120e8100e8c055cb064f11c520dac4_JaffaCakes118.exe Token: 35 2288 be120e8100e8c055cb064f11c520dac4_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2568 msdcsc.exe Token: SeSecurityPrivilege 2568 msdcsc.exe Token: SeTakeOwnershipPrivilege 2568 msdcsc.exe Token: SeLoadDriverPrivilege 2568 msdcsc.exe Token: SeSystemProfilePrivilege 2568 msdcsc.exe Token: SeSystemtimePrivilege 2568 msdcsc.exe Token: SeProfSingleProcessPrivilege 2568 msdcsc.exe Token: SeIncBasePriorityPrivilege 2568 msdcsc.exe Token: SeCreatePagefilePrivilege 2568 msdcsc.exe Token: SeBackupPrivilege 2568 msdcsc.exe Token: SeRestorePrivilege 2568 msdcsc.exe Token: SeShutdownPrivilege 2568 msdcsc.exe Token: SeDebugPrivilege 2568 msdcsc.exe Token: SeSystemEnvironmentPrivilege 2568 msdcsc.exe Token: SeChangeNotifyPrivilege 2568 msdcsc.exe Token: SeRemoteShutdownPrivilege 2568 msdcsc.exe Token: SeUndockPrivilege 2568 msdcsc.exe Token: SeManageVolumePrivilege 2568 msdcsc.exe Token: SeImpersonatePrivilege 2568 msdcsc.exe Token: SeCreateGlobalPrivilege 2568 msdcsc.exe Token: 33 2568 msdcsc.exe Token: 34 2568 msdcsc.exe Token: 35 2568 msdcsc.exe Token: SeIncreaseQuotaPrivilege 2768 iexplore.exe Token: SeSecurityPrivilege 2768 iexplore.exe Token: SeTakeOwnershipPrivilege 2768 iexplore.exe Token: SeLoadDriverPrivilege 2768 iexplore.exe Token: SeSystemProfilePrivilege 2768 iexplore.exe Token: SeSystemtimePrivilege 2768 iexplore.exe Token: SeProfSingleProcessPrivilege 2768 iexplore.exe Token: SeIncBasePriorityPrivilege 2768 iexplore.exe Token: SeCreatePagefilePrivilege 2768 iexplore.exe Token: SeBackupPrivilege 2768 iexplore.exe Token: SeRestorePrivilege 2768 iexplore.exe Token: SeShutdownPrivilege 2768 iexplore.exe Token: SeDebugPrivilege 2768 iexplore.exe Token: SeSystemEnvironmentPrivilege 2768 iexplore.exe Token: SeChangeNotifyPrivilege 2768 iexplore.exe Token: SeRemoteShutdownPrivilege 2768 iexplore.exe Token: SeUndockPrivilege 2768 iexplore.exe Token: SeManageVolumePrivilege 2768 iexplore.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2768 iexplore.exe -
Suspicious use of WriteProcessMemory 59 IoCs
description pid Process procid_target PID 2288 wrote to memory of 2732 2288 be120e8100e8c055cb064f11c520dac4_JaffaCakes118.exe 30 PID 2288 wrote to memory of 2732 2288 be120e8100e8c055cb064f11c520dac4_JaffaCakes118.exe 30 PID 2288 wrote to memory of 2732 2288 be120e8100e8c055cb064f11c520dac4_JaffaCakes118.exe 30 PID 2288 wrote to memory of 2732 2288 be120e8100e8c055cb064f11c520dac4_JaffaCakes118.exe 30 PID 2288 wrote to memory of 2748 2288 be120e8100e8c055cb064f11c520dac4_JaffaCakes118.exe 31 PID 2288 wrote to memory of 2748 2288 be120e8100e8c055cb064f11c520dac4_JaffaCakes118.exe 31 PID 2288 wrote to memory of 2748 2288 be120e8100e8c055cb064f11c520dac4_JaffaCakes118.exe 31 PID 2288 wrote to memory of 2748 2288 be120e8100e8c055cb064f11c520dac4_JaffaCakes118.exe 31 PID 2288 wrote to memory of 2748 2288 be120e8100e8c055cb064f11c520dac4_JaffaCakes118.exe 31 PID 2288 wrote to memory of 2748 2288 be120e8100e8c055cb064f11c520dac4_JaffaCakes118.exe 31 PID 2288 wrote to memory of 2748 2288 be120e8100e8c055cb064f11c520dac4_JaffaCakes118.exe 31 PID 2288 wrote to memory of 2748 2288 be120e8100e8c055cb064f11c520dac4_JaffaCakes118.exe 31 PID 2288 wrote to memory of 2748 2288 be120e8100e8c055cb064f11c520dac4_JaffaCakes118.exe 31 PID 2288 wrote to memory of 2748 2288 be120e8100e8c055cb064f11c520dac4_JaffaCakes118.exe 31 PID 2288 wrote to memory of 2748 2288 be120e8100e8c055cb064f11c520dac4_JaffaCakes118.exe 31 PID 2288 wrote to memory of 2748 2288 be120e8100e8c055cb064f11c520dac4_JaffaCakes118.exe 31 PID 2288 wrote to memory of 2748 2288 be120e8100e8c055cb064f11c520dac4_JaffaCakes118.exe 31 PID 2288 wrote to memory of 2748 2288 be120e8100e8c055cb064f11c520dac4_JaffaCakes118.exe 31 PID 2288 wrote to memory of 2748 2288 be120e8100e8c055cb064f11c520dac4_JaffaCakes118.exe 31 PID 2288 wrote to memory of 2748 2288 be120e8100e8c055cb064f11c520dac4_JaffaCakes118.exe 31 PID 2288 wrote to memory of 2748 2288 be120e8100e8c055cb064f11c520dac4_JaffaCakes118.exe 31 PID 2288 wrote to memory of 2748 2288 be120e8100e8c055cb064f11c520dac4_JaffaCakes118.exe 31 PID 2732 wrote to memory of 2576 2732 cmd.exe 33 PID 2732 wrote to memory of 2576 2732 cmd.exe 33 PID 2732 wrote to memory of 2576 2732 cmd.exe 33 PID 2732 wrote to memory of 2576 2732 cmd.exe 33 PID 2288 wrote to memory of 2568 2288 be120e8100e8c055cb064f11c520dac4_JaffaCakes118.exe 34 PID 2288 wrote to memory of 2568 2288 be120e8100e8c055cb064f11c520dac4_JaffaCakes118.exe 34 PID 2288 wrote to memory of 2568 2288 be120e8100e8c055cb064f11c520dac4_JaffaCakes118.exe 34 PID 2288 wrote to memory of 2568 2288 be120e8100e8c055cb064f11c520dac4_JaffaCakes118.exe 34 PID 2568 wrote to memory of 2768 2568 msdcsc.exe 35 PID 2568 wrote to memory of 2768 2568 msdcsc.exe 35 PID 2568 wrote to memory of 2768 2568 msdcsc.exe 35 PID 2568 wrote to memory of 2768 2568 msdcsc.exe 35 PID 2568 wrote to memory of 2768 2568 msdcsc.exe 35 PID 2568 wrote to memory of 2768 2568 msdcsc.exe 35 PID 2768 wrote to memory of 2608 2768 iexplore.exe 36 PID 2768 wrote to memory of 2608 2768 iexplore.exe 36 PID 2768 wrote to memory of 2608 2768 iexplore.exe 36 PID 2768 wrote to memory of 2608 2768 iexplore.exe 36 PID 2768 wrote to memory of 2608 2768 iexplore.exe 36 PID 2768 wrote to memory of 2608 2768 iexplore.exe 36 PID 2768 wrote to memory of 2608 2768 iexplore.exe 36 PID 2768 wrote to memory of 2608 2768 iexplore.exe 36 PID 2768 wrote to memory of 2608 2768 iexplore.exe 36 PID 2768 wrote to memory of 2608 2768 iexplore.exe 36 PID 2768 wrote to memory of 2608 2768 iexplore.exe 36 PID 2768 wrote to memory of 2608 2768 iexplore.exe 36 PID 2768 wrote to memory of 2608 2768 iexplore.exe 36 PID 2768 wrote to memory of 2608 2768 iexplore.exe 36 PID 2768 wrote to memory of 2608 2768 iexplore.exe 36 PID 2768 wrote to memory of 2608 2768 iexplore.exe 36 PID 2768 wrote to memory of 2608 2768 iexplore.exe 36 PID 2768 wrote to memory of 2608 2768 iexplore.exe 36 PID 2768 wrote to memory of 2608 2768 iexplore.exe 36 PID 2768 wrote to memory of 2608 2768 iexplore.exe 36 PID 2768 wrote to memory of 2608 2768 iexplore.exe 36 PID 2768 wrote to memory of 2608 2768 iexplore.exe 36 PID 2768 wrote to memory of 2608 2768 iexplore.exe 36 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 2576 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\be120e8100e8c055cb064f11c520dac4_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\be120e8100e8c055cb064f11c520dac4_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2288 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2732 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2576
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:2748
-
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2568 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2768 -
C:\Windows\SysWOW64\notepad.exenotepad4⤵
- System Location Discovery: System Language Discovery
PID:2608
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
3Disable or Modify System Firewall
1Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
681KB
MD5be120e8100e8c055cb064f11c520dac4
SHA186f20ff0700aed633b8395a907033412c744146e
SHA256d8fb1d97c11512623a7a031706af0db394d45043d9f1130153ad7fb7b4295dbb
SHA5120668d35a1f96b49c7fe1188794dc84909b8a796adec28286073c4c8e8b978c965275903348614c4318727f0211e44feec3bb031bfd04ee6342ae81305582edc8