Analysis
-
max time kernel
150s -
max time network
146s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
08-12-2024 03:41
Static task
static1
Behavioral task
behavioral1
Sample
d5120831f470dfc446f0eb7f0828025d_JaffaCakes118.exe
Resource
win7-20241010-en
General
-
Target
d5120831f470dfc446f0eb7f0828025d_JaffaCakes118.exe
-
Size
762KB
-
MD5
d5120831f470dfc446f0eb7f0828025d
-
SHA1
d5c87a9c79988ca71f1f59ecf8b063a886d36175
-
SHA256
09bb29e6a47c5eb92ee01c737f34cc2b2092ae6c6ddc1b6455fdf4754526ddcb
-
SHA512
7f4bd79b075d6cb0ef131dac443d29c93910cc069710628f24be5276f94c8e65a939ade9060d823b1a008cfc02da59afb6e40d120e524d1985b3aa38f1742493
-
SSDEEP
12288:s/fDmRvzHR/Dg3HycWvhAVfeBD8/D1nmcX6jgf+ESbMjgHSFSktyQe/rhhPl5WLG:YDmdzx/Dg3uZAVfeq/D3XXBSAjgHSnsz
Malware Config
Extracted
darkcomet
Guest16
178.252.116.91:1604
DC_MUTEX-MNKZPGM
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
8zGLDtrYqZZ2
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\msdcsc.exe" darkcomettt.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 4 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{296100B6-F5A3-4520-8138-165C09016C05} _xx_server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{296100B6-F5A3-4520-8138-165C09016C05}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\_xx_server.exe" _xx_server.exe Key created \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{296100B6-F5A3-4520-8138-165C09016C05} _xx_server.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Active Setup\Installed Components\{296100B6-F5A3-4520-8138-165C09016C05}\StubPath = "C:\\Users\\Admin\\AppData\\Local\\_xx_server.exe" _xx_server.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 1624 attrib.exe 2924 attrib.exe -
Executes dropped EXE 7 IoCs
pid Process 2592 server.exe 2400 stealer.exe 2408 darkcomettt.exe 2796 stealer.exe 2200 _xx_server.exe 548 msdcsc.exe 2096 _xx_server.exe -
Loads dropped DLL 10 IoCs
pid Process 2500 d5120831f470dfc446f0eb7f0828025d_JaffaCakes118.exe 2500 d5120831f470dfc446f0eb7f0828025d_JaffaCakes118.exe 2500 d5120831f470dfc446f0eb7f0828025d_JaffaCakes118.exe 2500 d5120831f470dfc446f0eb7f0828025d_JaffaCakes118.exe 2500 d5120831f470dfc446f0eb7f0828025d_JaffaCakes118.exe 2400 stealer.exe 2592 server.exe 2592 server.exe 2408 darkcomettt.exe 2408 darkcomettt.exe -
Adds Run key to start application 2 TTPs 4 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\msdcsc.exe" darkcomettt.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Server = "C:\\Users\\Admin\\AppData\\Local\\_xx_server.exe" _xx_server.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\AppData\\Roaming\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-2039016743-699959520-214465309-1000\Software\Microsoft\Windows\CurrentVersion\Run\Server = "C:\\Users\\Admin\\AppData\\Local\\_xx_server.exe" _xx_server.exe -
resource yara_rule behavioral1/memory/2408-28-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/files/0x0008000000016cc9-27.dat upx behavioral1/memory/548-65-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/2408-62-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/548-108-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/548-112-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral1/memory/548-116-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language stealer.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language darkcomettt.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language _xx_server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language d5120831f470dfc446f0eb7f0828025d_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language _xx_server.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 548 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2408 darkcomettt.exe Token: SeSecurityPrivilege 2408 darkcomettt.exe Token: SeTakeOwnershipPrivilege 2408 darkcomettt.exe Token: SeLoadDriverPrivilege 2408 darkcomettt.exe Token: SeSystemProfilePrivilege 2408 darkcomettt.exe Token: SeSystemtimePrivilege 2408 darkcomettt.exe Token: SeProfSingleProcessPrivilege 2408 darkcomettt.exe Token: SeIncBasePriorityPrivilege 2408 darkcomettt.exe Token: SeCreatePagefilePrivilege 2408 darkcomettt.exe Token: SeBackupPrivilege 2408 darkcomettt.exe Token: SeRestorePrivilege 2408 darkcomettt.exe Token: SeShutdownPrivilege 2408 darkcomettt.exe Token: SeDebugPrivilege 2408 darkcomettt.exe Token: SeSystemEnvironmentPrivilege 2408 darkcomettt.exe Token: SeChangeNotifyPrivilege 2408 darkcomettt.exe Token: SeRemoteShutdownPrivilege 2408 darkcomettt.exe Token: SeUndockPrivilege 2408 darkcomettt.exe Token: SeManageVolumePrivilege 2408 darkcomettt.exe Token: SeImpersonatePrivilege 2408 darkcomettt.exe Token: SeCreateGlobalPrivilege 2408 darkcomettt.exe Token: 33 2408 darkcomettt.exe Token: 34 2408 darkcomettt.exe Token: 35 2408 darkcomettt.exe Token: SeIncreaseQuotaPrivilege 548 msdcsc.exe Token: SeSecurityPrivilege 548 msdcsc.exe Token: SeTakeOwnershipPrivilege 548 msdcsc.exe Token: SeLoadDriverPrivilege 548 msdcsc.exe Token: SeSystemProfilePrivilege 548 msdcsc.exe Token: SeSystemtimePrivilege 548 msdcsc.exe Token: SeProfSingleProcessPrivilege 548 msdcsc.exe Token: SeIncBasePriorityPrivilege 548 msdcsc.exe Token: SeCreatePagefilePrivilege 548 msdcsc.exe Token: SeBackupPrivilege 548 msdcsc.exe Token: SeRestorePrivilege 548 msdcsc.exe Token: SeShutdownPrivilege 548 msdcsc.exe Token: SeDebugPrivilege 548 msdcsc.exe Token: SeSystemEnvironmentPrivilege 548 msdcsc.exe Token: SeChangeNotifyPrivilege 548 msdcsc.exe Token: SeRemoteShutdownPrivilege 548 msdcsc.exe Token: SeUndockPrivilege 548 msdcsc.exe Token: SeManageVolumePrivilege 548 msdcsc.exe Token: SeImpersonatePrivilege 548 msdcsc.exe Token: SeCreateGlobalPrivilege 548 msdcsc.exe Token: 33 548 msdcsc.exe Token: 34 548 msdcsc.exe Token: 35 548 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 548 msdcsc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2500 wrote to memory of 2592 2500 d5120831f470dfc446f0eb7f0828025d_JaffaCakes118.exe 30 PID 2500 wrote to memory of 2592 2500 d5120831f470dfc446f0eb7f0828025d_JaffaCakes118.exe 30 PID 2500 wrote to memory of 2592 2500 d5120831f470dfc446f0eb7f0828025d_JaffaCakes118.exe 30 PID 2500 wrote to memory of 2592 2500 d5120831f470dfc446f0eb7f0828025d_JaffaCakes118.exe 30 PID 2500 wrote to memory of 2400 2500 d5120831f470dfc446f0eb7f0828025d_JaffaCakes118.exe 31 PID 2500 wrote to memory of 2400 2500 d5120831f470dfc446f0eb7f0828025d_JaffaCakes118.exe 31 PID 2500 wrote to memory of 2400 2500 d5120831f470dfc446f0eb7f0828025d_JaffaCakes118.exe 31 PID 2500 wrote to memory of 2400 2500 d5120831f470dfc446f0eb7f0828025d_JaffaCakes118.exe 31 PID 2500 wrote to memory of 2408 2500 d5120831f470dfc446f0eb7f0828025d_JaffaCakes118.exe 32 PID 2500 wrote to memory of 2408 2500 d5120831f470dfc446f0eb7f0828025d_JaffaCakes118.exe 32 PID 2500 wrote to memory of 2408 2500 d5120831f470dfc446f0eb7f0828025d_JaffaCakes118.exe 32 PID 2500 wrote to memory of 2408 2500 d5120831f470dfc446f0eb7f0828025d_JaffaCakes118.exe 32 PID 2400 wrote to memory of 2796 2400 stealer.exe 33 PID 2400 wrote to memory of 2796 2400 stealer.exe 33 PID 2400 wrote to memory of 2796 2400 stealer.exe 33 PID 2400 wrote to memory of 2796 2400 stealer.exe 33 PID 2592 wrote to memory of 2200 2592 server.exe 34 PID 2592 wrote to memory of 2200 2592 server.exe 34 PID 2592 wrote to memory of 2200 2592 server.exe 34 PID 2592 wrote to memory of 2200 2592 server.exe 34 PID 2408 wrote to memory of 2552 2408 darkcomettt.exe 36 PID 2408 wrote to memory of 2552 2408 darkcomettt.exe 36 PID 2408 wrote to memory of 2552 2408 darkcomettt.exe 36 PID 2408 wrote to memory of 2552 2408 darkcomettt.exe 36 PID 2408 wrote to memory of 2720 2408 darkcomettt.exe 38 PID 2408 wrote to memory of 2720 2408 darkcomettt.exe 38 PID 2408 wrote to memory of 2720 2408 darkcomettt.exe 38 PID 2408 wrote to memory of 2720 2408 darkcomettt.exe 38 PID 2552 wrote to memory of 1624 2552 cmd.exe 40 PID 2552 wrote to memory of 1624 2552 cmd.exe 40 PID 2552 wrote to memory of 1624 2552 cmd.exe 40 PID 2552 wrote to memory of 1624 2552 cmd.exe 40 PID 2720 wrote to memory of 2924 2720 cmd.exe 41 PID 2720 wrote to memory of 2924 2720 cmd.exe 41 PID 2720 wrote to memory of 2924 2720 cmd.exe 41 PID 2720 wrote to memory of 2924 2720 cmd.exe 41 PID 2408 wrote to memory of 548 2408 darkcomettt.exe 42 PID 2408 wrote to memory of 548 2408 darkcomettt.exe 42 PID 2408 wrote to memory of 548 2408 darkcomettt.exe 42 PID 2408 wrote to memory of 548 2408 darkcomettt.exe 42 PID 548 wrote to memory of 2916 548 msdcsc.exe 43 PID 548 wrote to memory of 2916 548 msdcsc.exe 43 PID 548 wrote to memory of 2916 548 msdcsc.exe 43 PID 548 wrote to memory of 2916 548 msdcsc.exe 43 PID 548 wrote to memory of 2916 548 msdcsc.exe 43 PID 548 wrote to memory of 2916 548 msdcsc.exe 43 PID 548 wrote to memory of 2916 548 msdcsc.exe 43 PID 548 wrote to memory of 2916 548 msdcsc.exe 43 PID 548 wrote to memory of 2916 548 msdcsc.exe 43 PID 548 wrote to memory of 2916 548 msdcsc.exe 43 PID 548 wrote to memory of 2916 548 msdcsc.exe 43 PID 548 wrote to memory of 2916 548 msdcsc.exe 43 PID 548 wrote to memory of 2916 548 msdcsc.exe 43 PID 548 wrote to memory of 2916 548 msdcsc.exe 43 PID 548 wrote to memory of 2916 548 msdcsc.exe 43 PID 548 wrote to memory of 2916 548 msdcsc.exe 43 PID 548 wrote to memory of 2916 548 msdcsc.exe 43 PID 548 wrote to memory of 2916 548 msdcsc.exe 43 PID 548 wrote to memory of 2916 548 msdcsc.exe 43 PID 548 wrote to memory of 2916 548 msdcsc.exe 43 PID 548 wrote to memory of 2916 548 msdcsc.exe 43 PID 548 wrote to memory of 2916 548 msdcsc.exe 43 PID 548 wrote to memory of 2916 548 msdcsc.exe 43 PID 2200 wrote to memory of 2096 2200 _xx_server.exe 45 -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 1624 attrib.exe 2924 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\d5120831f470dfc446f0eb7f0828025d_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\d5120831f470dfc446f0eb7f0828025d_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2500 -
C:\Users\Admin\AppData\Local\Temp\server.exe"C:\Users\Admin\AppData\Local\Temp\server.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Users\Admin\AppData\Local\_xx_server.exe"C:\Users\Admin\AppData\Local\_xx_server.exe"3⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2200 -
C:\Users\Admin\AppData\Local\_xx_server.exe"C:\Users\Admin\AppData\Local\_xx_server.exe"4⤵
- Boot or Logon Autostart Execution: Active Setup
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
PID:2096
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\stealer.exe"C:\Users\Admin\AppData\Local\Temp\stealer.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2400 -
C:\Users\Admin\AppData\Roaming\stealer.exe"C:\Users\Admin\AppData\Roaming\stealer.exe"3⤵
- Executes dropped EXE
PID:2796
-
-
-
C:\Users\Admin\AppData\Local\Temp\darkcomettt.exe"C:\Users\Admin\AppData\Local\Temp\darkcomettt.exe"2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2408 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\darkcomettt.exe" +s +h3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2552 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\darkcomettt.exe" +s +h4⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1624
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2720 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h4⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:2924
-
-
-
C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe"C:\Users\Admin\AppData\Roaming\MSDCSC\msdcsc.exe"3⤵
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:548 -
C:\Windows\SysWOW64\notepad.exenotepad4⤵
- System Location Discovery: System Language Discovery
PID:2916
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
3Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
252KB
MD510a32b9c47dab5a25ea12a3beffb17d0
SHA1ab924fd6d76aa5ec325ac8d8ecac42b80d56fb91
SHA25637cee6ae388f4eed1059fa76f43a143f7961be3c60e4cfc62ec737b16144a0c2
SHA512f3565c48bafc041b23ec3e78767eb62a894037534296693be2928e7cc478234a7fe5eb88ec4b59a9d56f9c5f989e616ecf5967e02ffb8ae5a7c288e6836d3f5f
-
Filesize
24KB
MD5700d01c4ae4b6f744aeab06505192eb5
SHA10fa45619d140b198beb6b3dc7eeaecf86a3e04c9
SHA256dc4ac9c8cbea4f8095d5241f6242dabfe34ce0bab8da880f98d62c3b541b5ff8
SHA512947846d7c64aa6f83bdfc31c9b0ec86f78a42f0d5a263a780438fcf51d533efd83d7c983c3642850f7bb1f0624489e371531f615b9d20a298fa6c353324c7ad2
-
Filesize
669KB
MD5a6ca67fa3012333e87e0fbfb4c297f17
SHA130c7be9d137b2d47a8e1427ac11c3bc0b74dbaf1
SHA256e72764d1ed03901a09d29a17b2ccef09d8084af832b7023afa6caf52db0d9ec7
SHA5123ce127adf4aafde5d8c4ece19cfc49e500ca1a574fdf468d2cb5409a0e2d733e9a73ef02f13dc163c359da6186d5f531e9bb4d021e504a5b7d8b30ec88059ad1