Analysis
-
max time kernel
94s -
max time network
151s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
07-12-2024 21:20
Static task
static1
Behavioral task
behavioral1
Sample
d3aa661e379ab45d42e977fe6440320d_JaffaCakes118.exe
Resource
win7-20240708-en
General
-
Target
d3aa661e379ab45d42e977fe6440320d_JaffaCakes118.exe
-
Size
1.0MB
-
MD5
d3aa661e379ab45d42e977fe6440320d
-
SHA1
d3033071d5e7e099eb1292ac1c29a1ccf9ddc29d
-
SHA256
596742e436c3a63ade42e1f91bb00364a21a3ed3f742122dbe0368280e8f02e9
-
SHA512
2bb2a2678dfd01b47c9617f9d72e9eba589fbebdc074019e0e8776f6575441ca2971252df447648f2c423a0630c49a19a4852e430288e20e763f12cf97ae83a1
-
SSDEEP
24576:n+t551zGlKYkNmyASIHZmHmHMcbG3tbxp1aL9g:n+t55dGimyASIoHmsfbxpE
Malware Config
Extracted
darkcomet
Guest16
68.194.136.134:1604
DC_MUTEX-G293ZDW
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
qG1EhGAmh8HK
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Signatures
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" WinSec.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\Control Panel\International\Geo\Nation WinSec.exe -
Executes dropped EXE 2 IoCs
pid Process 4568 WinSec.exe 976 msdcsc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1045960512-3948844814-3059691613-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" WinSec.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3896 set thread context of 4568 3896 d3aa661e379ab45d42e977fe6440320d_JaffaCakes118.exe 83 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d3aa661e379ab45d42e977fe6440320d_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WinSec.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ WinSec.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 4568 WinSec.exe Token: SeSecurityPrivilege 4568 WinSec.exe Token: SeTakeOwnershipPrivilege 4568 WinSec.exe Token: SeLoadDriverPrivilege 4568 WinSec.exe Token: SeSystemProfilePrivilege 4568 WinSec.exe Token: SeSystemtimePrivilege 4568 WinSec.exe Token: SeProfSingleProcessPrivilege 4568 WinSec.exe Token: SeIncBasePriorityPrivilege 4568 WinSec.exe Token: SeCreatePagefilePrivilege 4568 WinSec.exe Token: SeBackupPrivilege 4568 WinSec.exe Token: SeRestorePrivilege 4568 WinSec.exe Token: SeShutdownPrivilege 4568 WinSec.exe Token: SeDebugPrivilege 4568 WinSec.exe Token: SeSystemEnvironmentPrivilege 4568 WinSec.exe Token: SeChangeNotifyPrivilege 4568 WinSec.exe Token: SeRemoteShutdownPrivilege 4568 WinSec.exe Token: SeUndockPrivilege 4568 WinSec.exe Token: SeManageVolumePrivilege 4568 WinSec.exe Token: SeImpersonatePrivilege 4568 WinSec.exe Token: SeCreateGlobalPrivilege 4568 WinSec.exe Token: 33 4568 WinSec.exe Token: 34 4568 WinSec.exe Token: 35 4568 WinSec.exe Token: 36 4568 WinSec.exe -
Suspicious use of WriteProcessMemory 19 IoCs
description pid Process procid_target PID 3896 wrote to memory of 4568 3896 d3aa661e379ab45d42e977fe6440320d_JaffaCakes118.exe 83 PID 3896 wrote to memory of 4568 3896 d3aa661e379ab45d42e977fe6440320d_JaffaCakes118.exe 83 PID 3896 wrote to memory of 4568 3896 d3aa661e379ab45d42e977fe6440320d_JaffaCakes118.exe 83 PID 3896 wrote to memory of 4568 3896 d3aa661e379ab45d42e977fe6440320d_JaffaCakes118.exe 83 PID 3896 wrote to memory of 4568 3896 d3aa661e379ab45d42e977fe6440320d_JaffaCakes118.exe 83 PID 3896 wrote to memory of 4568 3896 d3aa661e379ab45d42e977fe6440320d_JaffaCakes118.exe 83 PID 3896 wrote to memory of 4568 3896 d3aa661e379ab45d42e977fe6440320d_JaffaCakes118.exe 83 PID 3896 wrote to memory of 4568 3896 d3aa661e379ab45d42e977fe6440320d_JaffaCakes118.exe 83 PID 3896 wrote to memory of 4568 3896 d3aa661e379ab45d42e977fe6440320d_JaffaCakes118.exe 83 PID 3896 wrote to memory of 4568 3896 d3aa661e379ab45d42e977fe6440320d_JaffaCakes118.exe 83 PID 3896 wrote to memory of 4568 3896 d3aa661e379ab45d42e977fe6440320d_JaffaCakes118.exe 83 PID 3896 wrote to memory of 4568 3896 d3aa661e379ab45d42e977fe6440320d_JaffaCakes118.exe 83 PID 3896 wrote to memory of 4568 3896 d3aa661e379ab45d42e977fe6440320d_JaffaCakes118.exe 83 PID 3896 wrote to memory of 4568 3896 d3aa661e379ab45d42e977fe6440320d_JaffaCakes118.exe 83 PID 3896 wrote to memory of 4568 3896 d3aa661e379ab45d42e977fe6440320d_JaffaCakes118.exe 83 PID 3896 wrote to memory of 4568 3896 d3aa661e379ab45d42e977fe6440320d_JaffaCakes118.exe 83 PID 4568 wrote to memory of 976 4568 WinSec.exe 84 PID 4568 wrote to memory of 976 4568 WinSec.exe 84 PID 4568 wrote to memory of 976 4568 WinSec.exe 84
Processes
-
C:\Users\Admin\AppData\Local\Temp\d3aa661e379ab45d42e977fe6440320d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d3aa661e379ab45d42e977fe6440320d_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3896 -
C:\Users\Admin\AppData\Roaming\WinSec.exeC:\Users\Admin\AppData\Roaming\WinSec.exe2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4568 -
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:976
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
34KB
MD5e118330b4629b12368d91b9df6488be0
SHA1ce90218c7e3b90df2a3409ec253048bb6472c2fd
SHA2563a0f2936b8c45e8ba3458d69d7859a63844469e698652e15fb56639d32f40cc9
SHA512ac91c04cb20223dbaaf594440cb778dff36e857921be427c8528ba4c6cdb3e8bf8e71e1ae8af7bde9c04ff5b97b379231625bc1a2b66aba2f98cd340cd8a94b0