Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
16-12-2024 10:38
Behavioral task
behavioral1
Sample
f89e6abcba5b9946e47da02cee2ced9a_JaffaCakes118.exe
Resource
win7-20240903-en
windows7-x64
15 signatures
150 seconds
General
-
Target
f89e6abcba5b9946e47da02cee2ced9a_JaffaCakes118.exe
-
Size
661KB
-
MD5
f89e6abcba5b9946e47da02cee2ced9a
-
SHA1
0d8f39548a5eab3f0e1e665575a7b3d54e78edb1
-
SHA256
93293359fafc0adf8d6c70211674401c4ea799b96d516ac9bc7e9aa694f72f90
-
SHA512
0a5bf0e7b729f06c88cf65a7a66c38e39503cad4fedb750e993bba9fadd4d31838edcdee31b8f945d12d70af50e993ef41a36a40a33370642503b60e54a9b86c
-
SSDEEP
12288:E9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/hu:IZ1xuVVjfFoynPaVBUR8f+kN10EBw
Malware Config
Extracted
Family
darkcomet
Botnet
Guest16
C2
ashkar.no-ip.org:1604
Mutex
DC_MUTEX-G0FAELX
Attributes
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
ywEaUnUCbAtD
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" f89e6abcba5b9946e47da02cee2ced9a_JaffaCakes118.exe -
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 1920 attrib.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\Control Panel\International\Geo\Nation f89e6abcba5b9946e47da02cee2ced9a_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
pid Process 224 msdcsc.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" f89e6abcba5b9946e47da02cee2ced9a_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-940901362-3608833189-1915618603-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\system32\\MSDCSC\\msdcsc.exe" iexplore.exe -
Drops file in System32 directory 3 IoCs
description ioc Process File created C:\Windows\SysWOW64\MSDCSC\msdcsc.exe f89e6abcba5b9946e47da02cee2ced9a_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\msdcsc.exe f89e6abcba5b9946e47da02cee2ced9a_JaffaCakes118.exe File opened for modification C:\Windows\SysWOW64\MSDCSC\ f89e6abcba5b9946e47da02cee2ced9a_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 224 set thread context of 1372 224 msdcsc.exe 87 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language f89e6abcba5b9946e47da02cee2ced9a_JaffaCakes118.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iexplore.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ f89e6abcba5b9946e47da02cee2ced9a_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 1372 iexplore.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 4996 f89e6abcba5b9946e47da02cee2ced9a_JaffaCakes118.exe Token: SeSecurityPrivilege 4996 f89e6abcba5b9946e47da02cee2ced9a_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 4996 f89e6abcba5b9946e47da02cee2ced9a_JaffaCakes118.exe Token: SeLoadDriverPrivilege 4996 f89e6abcba5b9946e47da02cee2ced9a_JaffaCakes118.exe Token: SeSystemProfilePrivilege 4996 f89e6abcba5b9946e47da02cee2ced9a_JaffaCakes118.exe Token: SeSystemtimePrivilege 4996 f89e6abcba5b9946e47da02cee2ced9a_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 4996 f89e6abcba5b9946e47da02cee2ced9a_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 4996 f89e6abcba5b9946e47da02cee2ced9a_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 4996 f89e6abcba5b9946e47da02cee2ced9a_JaffaCakes118.exe Token: SeBackupPrivilege 4996 f89e6abcba5b9946e47da02cee2ced9a_JaffaCakes118.exe Token: SeRestorePrivilege 4996 f89e6abcba5b9946e47da02cee2ced9a_JaffaCakes118.exe Token: SeShutdownPrivilege 4996 f89e6abcba5b9946e47da02cee2ced9a_JaffaCakes118.exe Token: SeDebugPrivilege 4996 f89e6abcba5b9946e47da02cee2ced9a_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 4996 f89e6abcba5b9946e47da02cee2ced9a_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 4996 f89e6abcba5b9946e47da02cee2ced9a_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 4996 f89e6abcba5b9946e47da02cee2ced9a_JaffaCakes118.exe Token: SeUndockPrivilege 4996 f89e6abcba5b9946e47da02cee2ced9a_JaffaCakes118.exe Token: SeManageVolumePrivilege 4996 f89e6abcba5b9946e47da02cee2ced9a_JaffaCakes118.exe Token: SeImpersonatePrivilege 4996 f89e6abcba5b9946e47da02cee2ced9a_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 4996 f89e6abcba5b9946e47da02cee2ced9a_JaffaCakes118.exe Token: 33 4996 f89e6abcba5b9946e47da02cee2ced9a_JaffaCakes118.exe Token: 34 4996 f89e6abcba5b9946e47da02cee2ced9a_JaffaCakes118.exe Token: 35 4996 f89e6abcba5b9946e47da02cee2ced9a_JaffaCakes118.exe Token: 36 4996 f89e6abcba5b9946e47da02cee2ced9a_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 224 msdcsc.exe Token: SeSecurityPrivilege 224 msdcsc.exe Token: SeTakeOwnershipPrivilege 224 msdcsc.exe Token: SeLoadDriverPrivilege 224 msdcsc.exe Token: SeSystemProfilePrivilege 224 msdcsc.exe Token: SeSystemtimePrivilege 224 msdcsc.exe Token: SeProfSingleProcessPrivilege 224 msdcsc.exe Token: SeIncBasePriorityPrivilege 224 msdcsc.exe Token: SeCreatePagefilePrivilege 224 msdcsc.exe Token: SeBackupPrivilege 224 msdcsc.exe Token: SeRestorePrivilege 224 msdcsc.exe Token: SeShutdownPrivilege 224 msdcsc.exe Token: SeDebugPrivilege 224 msdcsc.exe Token: SeSystemEnvironmentPrivilege 224 msdcsc.exe Token: SeChangeNotifyPrivilege 224 msdcsc.exe Token: SeRemoteShutdownPrivilege 224 msdcsc.exe Token: SeUndockPrivilege 224 msdcsc.exe Token: SeManageVolumePrivilege 224 msdcsc.exe Token: SeImpersonatePrivilege 224 msdcsc.exe Token: SeCreateGlobalPrivilege 224 msdcsc.exe Token: 33 224 msdcsc.exe Token: 34 224 msdcsc.exe Token: 35 224 msdcsc.exe Token: 36 224 msdcsc.exe Token: SeIncreaseQuotaPrivilege 1372 iexplore.exe Token: SeSecurityPrivilege 1372 iexplore.exe Token: SeTakeOwnershipPrivilege 1372 iexplore.exe Token: SeLoadDriverPrivilege 1372 iexplore.exe Token: SeSystemProfilePrivilege 1372 iexplore.exe Token: SeSystemtimePrivilege 1372 iexplore.exe Token: SeProfSingleProcessPrivilege 1372 iexplore.exe Token: SeIncBasePriorityPrivilege 1372 iexplore.exe Token: SeCreatePagefilePrivilege 1372 iexplore.exe Token: SeBackupPrivilege 1372 iexplore.exe Token: SeRestorePrivilege 1372 iexplore.exe Token: SeShutdownPrivilege 1372 iexplore.exe Token: SeDebugPrivilege 1372 iexplore.exe Token: SeSystemEnvironmentPrivilege 1372 iexplore.exe Token: SeChangeNotifyPrivilege 1372 iexplore.exe Token: SeRemoteShutdownPrivilege 1372 iexplore.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 1372 iexplore.exe -
Suspicious use of WriteProcessMemory 36 IoCs
description pid Process procid_target PID 4996 wrote to memory of 3376 4996 f89e6abcba5b9946e47da02cee2ced9a_JaffaCakes118.exe 83 PID 4996 wrote to memory of 3376 4996 f89e6abcba5b9946e47da02cee2ced9a_JaffaCakes118.exe 83 PID 4996 wrote to memory of 3376 4996 f89e6abcba5b9946e47da02cee2ced9a_JaffaCakes118.exe 83 PID 3376 wrote to memory of 1920 3376 cmd.exe 85 PID 3376 wrote to memory of 1920 3376 cmd.exe 85 PID 3376 wrote to memory of 1920 3376 cmd.exe 85 PID 4996 wrote to memory of 224 4996 f89e6abcba5b9946e47da02cee2ced9a_JaffaCakes118.exe 86 PID 4996 wrote to memory of 224 4996 f89e6abcba5b9946e47da02cee2ced9a_JaffaCakes118.exe 86 PID 4996 wrote to memory of 224 4996 f89e6abcba5b9946e47da02cee2ced9a_JaffaCakes118.exe 86 PID 224 wrote to memory of 1372 224 msdcsc.exe 87 PID 224 wrote to memory of 1372 224 msdcsc.exe 87 PID 224 wrote to memory of 1372 224 msdcsc.exe 87 PID 224 wrote to memory of 1372 224 msdcsc.exe 87 PID 224 wrote to memory of 1372 224 msdcsc.exe 87 PID 1372 wrote to memory of 1184 1372 iexplore.exe 88 PID 1372 wrote to memory of 1184 1372 iexplore.exe 88 PID 1372 wrote to memory of 1184 1372 iexplore.exe 88 PID 1372 wrote to memory of 1184 1372 iexplore.exe 88 PID 1372 wrote to memory of 1184 1372 iexplore.exe 88 PID 1372 wrote to memory of 1184 1372 iexplore.exe 88 PID 1372 wrote to memory of 1184 1372 iexplore.exe 88 PID 1372 wrote to memory of 1184 1372 iexplore.exe 88 PID 1372 wrote to memory of 1184 1372 iexplore.exe 88 PID 1372 wrote to memory of 1184 1372 iexplore.exe 88 PID 1372 wrote to memory of 1184 1372 iexplore.exe 88 PID 1372 wrote to memory of 1184 1372 iexplore.exe 88 PID 1372 wrote to memory of 1184 1372 iexplore.exe 88 PID 1372 wrote to memory of 1184 1372 iexplore.exe 88 PID 1372 wrote to memory of 1184 1372 iexplore.exe 88 PID 1372 wrote to memory of 1184 1372 iexplore.exe 88 PID 1372 wrote to memory of 1184 1372 iexplore.exe 88 PID 1372 wrote to memory of 1184 1372 iexplore.exe 88 PID 1372 wrote to memory of 1184 1372 iexplore.exe 88 PID 1372 wrote to memory of 1184 1372 iexplore.exe 88 PID 1372 wrote to memory of 1184 1372 iexplore.exe 88 PID 1372 wrote to memory of 1184 1372 iexplore.exe 88 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 1920 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\f89e6abcba5b9946e47da02cee2ced9a_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\f89e6abcba5b9946e47da02cee2ced9a_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in System32 directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4996 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\f89e6abcba5b9946e47da02cee2ced9a_JaffaCakes118.exe" +s +h2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3376 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\f89e6abcba5b9946e47da02cee2ced9a_JaffaCakes118.exe" +s +h3⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1920
-
-
-
C:\Windows\SysWOW64\MSDCSC\msdcsc.exe"C:\Windows\system32\MSDCSC\msdcsc.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:224 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:1372 -
C:\Windows\SysWOW64\notepad.exenotepad4⤵
- System Location Discovery: System Language Discovery
PID:1184
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Modify Registry
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
661KB
MD5f89e6abcba5b9946e47da02cee2ced9a
SHA10d8f39548a5eab3f0e1e665575a7b3d54e78edb1
SHA25693293359fafc0adf8d6c70211674401c4ea799b96d516ac9bc7e9aa694f72f90
SHA5120a5bf0e7b729f06c88cf65a7a66c38e39503cad4fedb750e993bba9fadd4d31838edcdee31b8f945d12d70af50e993ef41a36a40a33370642503b60e54a9b86c