Analysis
-
max time kernel
94s -
max time network
136s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
11-12-2024 13:25
Static task
static1
Behavioral task
behavioral1
Sample
e1aaadeea3b6a7eb266464759e3015e0_JaffaCakes118.exe
Resource
win7-20241010-en
General
-
Target
e1aaadeea3b6a7eb266464759e3015e0_JaffaCakes118.exe
-
Size
1.7MB
-
MD5
e1aaadeea3b6a7eb266464759e3015e0
-
SHA1
b8598cc86990f8037a337d37d815bf6bc2731a4f
-
SHA256
a56b7626f51392efde61f7badbde40701275e457ee210b22aab17592b9c009a9
-
SHA512
8b86674e6d410ea4d0dd5e76b584388dcc8aa12880f11e964c18019b289bd651dfe056464448be6d0a90090fdbf39cb32ff9a11f94fb9fd62e9637eb0409c1fb
-
SSDEEP
12288:BPr07ZEcWwpOYrEAw5bq4RGLeEF7EDG2O2fra7RSRUL7uHDIbntFuisEi6v3DyNq:BjQcbUADuU8iWr9itzwZTEqjQ0EBbtG
Malware Config
Extracted
darkcomet
Victim
loldude12345.zapto.org:1604
DC_MUTEX-WYV5PKM
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
oiVpUYYaVk85
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Signatures
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" svchost.exe -
Executes dropped EXE 1 IoCs
pid Process 1420 msdcsc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-4050598569-1597076380-177084960-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" svchost.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\MSDCSC\msdcsc.exe svchost.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\msdcsc.exe svchost.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\ svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 3304 set thread context of 824 3304 e1aaadeea3b6a7eb266464759e3015e0_JaffaCakes118.exe 82 -
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language e1aaadeea3b6a7eb266464759e3015e0_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language svchost.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 824 svchost.exe Token: SeSecurityPrivilege 824 svchost.exe Token: SeTakeOwnershipPrivilege 824 svchost.exe Token: SeLoadDriverPrivilege 824 svchost.exe Token: SeSystemProfilePrivilege 824 svchost.exe Token: SeSystemtimePrivilege 824 svchost.exe Token: SeProfSingleProcessPrivilege 824 svchost.exe Token: SeIncBasePriorityPrivilege 824 svchost.exe Token: SeCreatePagefilePrivilege 824 svchost.exe Token: SeBackupPrivilege 824 svchost.exe Token: SeRestorePrivilege 824 svchost.exe Token: SeShutdownPrivilege 824 svchost.exe Token: SeDebugPrivilege 824 svchost.exe Token: SeSystemEnvironmentPrivilege 824 svchost.exe Token: SeChangeNotifyPrivilege 824 svchost.exe Token: SeRemoteShutdownPrivilege 824 svchost.exe Token: SeUndockPrivilege 824 svchost.exe Token: SeManageVolumePrivilege 824 svchost.exe Token: SeImpersonatePrivilege 824 svchost.exe Token: SeCreateGlobalPrivilege 824 svchost.exe Token: 33 824 svchost.exe Token: 34 824 svchost.exe Token: 35 824 svchost.exe Token: 36 824 svchost.exe -
Suspicious use of WriteProcessMemory 17 IoCs
description pid Process procid_target PID 3304 wrote to memory of 824 3304 e1aaadeea3b6a7eb266464759e3015e0_JaffaCakes118.exe 82 PID 3304 wrote to memory of 824 3304 e1aaadeea3b6a7eb266464759e3015e0_JaffaCakes118.exe 82 PID 3304 wrote to memory of 824 3304 e1aaadeea3b6a7eb266464759e3015e0_JaffaCakes118.exe 82 PID 3304 wrote to memory of 824 3304 e1aaadeea3b6a7eb266464759e3015e0_JaffaCakes118.exe 82 PID 3304 wrote to memory of 824 3304 e1aaadeea3b6a7eb266464759e3015e0_JaffaCakes118.exe 82 PID 3304 wrote to memory of 824 3304 e1aaadeea3b6a7eb266464759e3015e0_JaffaCakes118.exe 82 PID 3304 wrote to memory of 824 3304 e1aaadeea3b6a7eb266464759e3015e0_JaffaCakes118.exe 82 PID 3304 wrote to memory of 824 3304 e1aaadeea3b6a7eb266464759e3015e0_JaffaCakes118.exe 82 PID 3304 wrote to memory of 824 3304 e1aaadeea3b6a7eb266464759e3015e0_JaffaCakes118.exe 82 PID 3304 wrote to memory of 824 3304 e1aaadeea3b6a7eb266464759e3015e0_JaffaCakes118.exe 82 PID 3304 wrote to memory of 824 3304 e1aaadeea3b6a7eb266464759e3015e0_JaffaCakes118.exe 82 PID 3304 wrote to memory of 824 3304 e1aaadeea3b6a7eb266464759e3015e0_JaffaCakes118.exe 82 PID 3304 wrote to memory of 824 3304 e1aaadeea3b6a7eb266464759e3015e0_JaffaCakes118.exe 82 PID 3304 wrote to memory of 824 3304 e1aaadeea3b6a7eb266464759e3015e0_JaffaCakes118.exe 82 PID 824 wrote to memory of 1420 824 svchost.exe 83 PID 824 wrote to memory of 1420 824 svchost.exe 83 PID 824 wrote to memory of 1420 824 svchost.exe 83
Processes
-
C:\Users\Admin\AppData\Local\Temp\e1aaadeea3b6a7eb266464759e3015e0_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e1aaadeea3b6a7eb266464759e3015e0_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3304 -
C:\Windows\SysWOW64\svchost.exe"C:\Windows\system32\svchost.exe"2⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:824 -
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"3⤵
- Executes dropped EXE
PID:1420
-
-
Network
MITRE ATT&CK Enterprise v15
Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
45KB
MD5b7c999040d80e5bf87886d70d992c51e
SHA1a8ed9a51cc14ccf99b670e60ebbc110756504929
SHA2565c3257b277f160109071e7e716040e67657341d8c42aa68d9afafe1630fcc53e
SHA51271ba2fbd705e51b488afe3bb33a67212cf297e97e8b1b20ada33e16956f7ec8f89a79e04a4b256fd61a442fada690aff0c807c2bdcc9165a9c7be3de725de309