Analysis
-
max time kernel
150s -
max time network
16s -
platform
windows7_x64 -
resource
win7-20240729-en -
resource tags
arch:x64arch:x86image:win7-20240729-enlocale:en-usos:windows7-x64system -
submitted
13-12-2024 12:54
Behavioral task
behavioral1
Sample
eb9929b2a05ca8aaffe501e498bd0301_JaffaCakes118.exe
Resource
win7-20240729-en
General
-
Target
eb9929b2a05ca8aaffe501e498bd0301_JaffaCakes118.exe
-
Size
747KB
-
MD5
eb9929b2a05ca8aaffe501e498bd0301
-
SHA1
2a648717022fbe526f07c6827796d0f2a767cae2
-
SHA256
f0904890533c32e6fcbe160eb0055c55d7eff868002cf638b4806b26593c2638
-
SHA512
3b0f9441f72b1ddafd121da04e53fd89af2e68cf37aeb92c9aea5d9b47a21b5d4f4fa7bd85196b08442c18e5423182f1cc9d3d71ed9fd5ec518fd48ef0c33f20
-
SSDEEP
12288:ek0QVlhmPojAPTMEsUTg0oChO/Q2JbsbjPbN5qhRTtYe3f+Iw86k/9/+rnkT:z0QRWoJEfg0oChGdJQbjPbNW5tYeP+Gp
Malware Config
Extracted
darkcomet
Guest16
melidas.no-ip.org:1604
DC_MUTEX-W6URBQG
-
InstallPath
MSDCSC\Rundll32.exe
-
gencode
tduXnWzfAFR4
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
Rundll32
Signatures
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\MSDCSC\\Rundll32.exe" eb9929b2a05ca8aaffe501e498bd0301_JaffaCakes118.exe -
Modifies firewall policy service 3 TTPs 3 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile Rundll32.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" Rundll32.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" Rundll32.exe -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" Rundll32.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Rundll32.exe -
Executes dropped EXE 1 IoCs
pid Process 3004 Rundll32.exe -
Loads dropped DLL 2 IoCs
pid Process 1200 eb9929b2a05ca8aaffe501e498bd0301_JaffaCakes118.exe 1200 eb9929b2a05ca8aaffe501e498bd0301_JaffaCakes118.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" Rundll32.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2703099537-420551529-3771253338-1000\Software\Microsoft\Windows\CurrentVersion\Run\Rundll32 = "C:\\Windows\\MSDCSC\\Rundll32.exe" eb9929b2a05ca8aaffe501e498bd0301_JaffaCakes118.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\MSDCSC\Rundll32.exe eb9929b2a05ca8aaffe501e498bd0301_JaffaCakes118.exe File opened for modification C:\Windows\MSDCSC\Rundll32.exe eb9929b2a05ca8aaffe501e498bd0301_JaffaCakes118.exe File opened for modification C:\Windows\MSDCSC\ eb9929b2a05ca8aaffe501e498bd0301_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 2 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language Rundll32.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language eb9929b2a05ca8aaffe501e498bd0301_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 46 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1200 eb9929b2a05ca8aaffe501e498bd0301_JaffaCakes118.exe Token: SeSecurityPrivilege 1200 eb9929b2a05ca8aaffe501e498bd0301_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 1200 eb9929b2a05ca8aaffe501e498bd0301_JaffaCakes118.exe Token: SeLoadDriverPrivilege 1200 eb9929b2a05ca8aaffe501e498bd0301_JaffaCakes118.exe Token: SeSystemProfilePrivilege 1200 eb9929b2a05ca8aaffe501e498bd0301_JaffaCakes118.exe Token: SeSystemtimePrivilege 1200 eb9929b2a05ca8aaffe501e498bd0301_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 1200 eb9929b2a05ca8aaffe501e498bd0301_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 1200 eb9929b2a05ca8aaffe501e498bd0301_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 1200 eb9929b2a05ca8aaffe501e498bd0301_JaffaCakes118.exe Token: SeBackupPrivilege 1200 eb9929b2a05ca8aaffe501e498bd0301_JaffaCakes118.exe Token: SeRestorePrivilege 1200 eb9929b2a05ca8aaffe501e498bd0301_JaffaCakes118.exe Token: SeShutdownPrivilege 1200 eb9929b2a05ca8aaffe501e498bd0301_JaffaCakes118.exe Token: SeDebugPrivilege 1200 eb9929b2a05ca8aaffe501e498bd0301_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 1200 eb9929b2a05ca8aaffe501e498bd0301_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 1200 eb9929b2a05ca8aaffe501e498bd0301_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 1200 eb9929b2a05ca8aaffe501e498bd0301_JaffaCakes118.exe Token: SeUndockPrivilege 1200 eb9929b2a05ca8aaffe501e498bd0301_JaffaCakes118.exe Token: SeManageVolumePrivilege 1200 eb9929b2a05ca8aaffe501e498bd0301_JaffaCakes118.exe Token: SeImpersonatePrivilege 1200 eb9929b2a05ca8aaffe501e498bd0301_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 1200 eb9929b2a05ca8aaffe501e498bd0301_JaffaCakes118.exe Token: 33 1200 eb9929b2a05ca8aaffe501e498bd0301_JaffaCakes118.exe Token: 34 1200 eb9929b2a05ca8aaffe501e498bd0301_JaffaCakes118.exe Token: 35 1200 eb9929b2a05ca8aaffe501e498bd0301_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 3004 Rundll32.exe Token: SeSecurityPrivilege 3004 Rundll32.exe Token: SeTakeOwnershipPrivilege 3004 Rundll32.exe Token: SeLoadDriverPrivilege 3004 Rundll32.exe Token: SeSystemProfilePrivilege 3004 Rundll32.exe Token: SeSystemtimePrivilege 3004 Rundll32.exe Token: SeProfSingleProcessPrivilege 3004 Rundll32.exe Token: SeIncBasePriorityPrivilege 3004 Rundll32.exe Token: SeCreatePagefilePrivilege 3004 Rundll32.exe Token: SeBackupPrivilege 3004 Rundll32.exe Token: SeRestorePrivilege 3004 Rundll32.exe Token: SeShutdownPrivilege 3004 Rundll32.exe Token: SeDebugPrivilege 3004 Rundll32.exe Token: SeSystemEnvironmentPrivilege 3004 Rundll32.exe Token: SeChangeNotifyPrivilege 3004 Rundll32.exe Token: SeRemoteShutdownPrivilege 3004 Rundll32.exe Token: SeUndockPrivilege 3004 Rundll32.exe Token: SeManageVolumePrivilege 3004 Rundll32.exe Token: SeImpersonatePrivilege 3004 Rundll32.exe Token: SeCreateGlobalPrivilege 3004 Rundll32.exe Token: 33 3004 Rundll32.exe Token: 34 3004 Rundll32.exe Token: 35 3004 Rundll32.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3004 Rundll32.exe -
Suspicious use of WriteProcessMemory 7 IoCs
description pid Process procid_target PID 1200 wrote to memory of 3004 1200 eb9929b2a05ca8aaffe501e498bd0301_JaffaCakes118.exe 29 PID 1200 wrote to memory of 3004 1200 eb9929b2a05ca8aaffe501e498bd0301_JaffaCakes118.exe 29 PID 1200 wrote to memory of 3004 1200 eb9929b2a05ca8aaffe501e498bd0301_JaffaCakes118.exe 29 PID 1200 wrote to memory of 3004 1200 eb9929b2a05ca8aaffe501e498bd0301_JaffaCakes118.exe 29 PID 1200 wrote to memory of 3004 1200 eb9929b2a05ca8aaffe501e498bd0301_JaffaCakes118.exe 29 PID 1200 wrote to memory of 3004 1200 eb9929b2a05ca8aaffe501e498bd0301_JaffaCakes118.exe 29 PID 1200 wrote to memory of 3004 1200 eb9929b2a05ca8aaffe501e498bd0301_JaffaCakes118.exe 29
Processes
-
C:\Users\Admin\AppData\Local\Temp\eb9929b2a05ca8aaffe501e498bd0301_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\eb9929b2a05ca8aaffe501e498bd0301_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1200 -
C:\Windows\MSDCSC\Rundll32.exe"C:\Windows\MSDCSC\Rundll32.exe"2⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
PID:3004
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Defense Evasion
Impair Defenses
3Disable or Modify System Firewall
1Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
747KB
MD5eb9929b2a05ca8aaffe501e498bd0301
SHA12a648717022fbe526f07c6827796d0f2a767cae2
SHA256f0904890533c32e6fcbe160eb0055c55d7eff868002cf638b4806b26593c2638
SHA5123b0f9441f72b1ddafd121da04e53fd89af2e68cf37aeb92c9aea5d9b47a21b5d4f4fa7bd85196b08442c18e5423182f1cc9d3d71ed9fd5ec518fd48ef0c33f20