Analysis
-
max time kernel
150s -
max time network
150s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
03-01-2025 08:36
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_6b6a94ac17d74979c41f9df5dd987740.exe
Resource
win7-20240903-en
General
-
Target
JaffaCakes118_6b6a94ac17d74979c41f9df5dd987740.exe
-
Size
779KB
-
MD5
6b6a94ac17d74979c41f9df5dd987740
-
SHA1
f51f2ad7cb34073d5ef5fc900368369202331506
-
SHA256
0a1da724132eca214511cff376c2ba53ae7fa63b96d6f60a3f51a205caf43e90
-
SHA512
0e0329f21bd82ac2d7dd6dd67b9a5c49b09a92d2294b506176454d80420447a2746f2240353c64e16ce6714afbec9a5df5ccb87011dc0a39f76984282b31d69d
-
SSDEEP
12288:h4YJH6lgnTSwfC55c7nnoUIRk1WtEupY5saNLlSsl5HOYdyYLI:h4+H6lpwfC56DOq0tEupSB6Cf0
Malware Config
Extracted
darkcomet
HaCkEd
imasoldier.zapto.org:1065
DC_MUTEX-F4Y6Y3U
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
NvNoWDafnVkg
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 1.exe -
Modifies security service 2 TTPs 1 IoCs
description ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\Services\wscsvc\Start = "4" msdcsc.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 1916 attrib.exe 4912 attrib.exe -
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 2.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation 1.exe Key value queried \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\Control Panel\International\Geo\Nation JaffaCakes118_6b6a94ac17d74979c41f9df5dd987740.exe -
Executes dropped EXE 3 IoCs
pid Process 4144 2.exe 4892 1.exe 4752 msdcsc.exe -
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 1.exe Set value (str) \REGISTRY\USER\S-1-5-21-3756129449-3121373848-4276368241-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 12 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_6b6a94ac17d74979c41f9df5dd987740.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 1.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 2.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 1.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 4752 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 4892 1.exe Token: SeSecurityPrivilege 4892 1.exe Token: SeTakeOwnershipPrivilege 4892 1.exe Token: SeLoadDriverPrivilege 4892 1.exe Token: SeSystemProfilePrivilege 4892 1.exe Token: SeSystemtimePrivilege 4892 1.exe Token: SeProfSingleProcessPrivilege 4892 1.exe Token: SeIncBasePriorityPrivilege 4892 1.exe Token: SeCreatePagefilePrivilege 4892 1.exe Token: SeBackupPrivilege 4892 1.exe Token: SeRestorePrivilege 4892 1.exe Token: SeShutdownPrivilege 4892 1.exe Token: SeDebugPrivilege 4892 1.exe Token: SeSystemEnvironmentPrivilege 4892 1.exe Token: SeChangeNotifyPrivilege 4892 1.exe Token: SeRemoteShutdownPrivilege 4892 1.exe Token: SeUndockPrivilege 4892 1.exe Token: SeManageVolumePrivilege 4892 1.exe Token: SeImpersonatePrivilege 4892 1.exe Token: SeCreateGlobalPrivilege 4892 1.exe Token: 33 4892 1.exe Token: 34 4892 1.exe Token: 35 4892 1.exe Token: 36 4892 1.exe Token: SeIncreaseQuotaPrivilege 4752 msdcsc.exe Token: SeSecurityPrivilege 4752 msdcsc.exe Token: SeTakeOwnershipPrivilege 4752 msdcsc.exe Token: SeLoadDriverPrivilege 4752 msdcsc.exe Token: SeSystemProfilePrivilege 4752 msdcsc.exe Token: SeSystemtimePrivilege 4752 msdcsc.exe Token: SeProfSingleProcessPrivilege 4752 msdcsc.exe Token: SeIncBasePriorityPrivilege 4752 msdcsc.exe Token: SeCreatePagefilePrivilege 4752 msdcsc.exe Token: SeBackupPrivilege 4752 msdcsc.exe Token: SeRestorePrivilege 4752 msdcsc.exe Token: SeShutdownPrivilege 4752 msdcsc.exe Token: SeDebugPrivilege 4752 msdcsc.exe Token: SeSystemEnvironmentPrivilege 4752 msdcsc.exe Token: SeChangeNotifyPrivilege 4752 msdcsc.exe Token: SeRemoteShutdownPrivilege 4752 msdcsc.exe Token: SeUndockPrivilege 4752 msdcsc.exe Token: SeManageVolumePrivilege 4752 msdcsc.exe Token: SeImpersonatePrivilege 4752 msdcsc.exe Token: SeCreateGlobalPrivilege 4752 msdcsc.exe Token: 33 4752 msdcsc.exe Token: 34 4752 msdcsc.exe Token: 35 4752 msdcsc.exe Token: 36 4752 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 4752 msdcsc.exe -
Suspicious use of WriteProcessMemory 64 IoCs
description pid Process procid_target PID 2364 wrote to memory of 3988 2364 JaffaCakes118_6b6a94ac17d74979c41f9df5dd987740.exe 82 PID 2364 wrote to memory of 3988 2364 JaffaCakes118_6b6a94ac17d74979c41f9df5dd987740.exe 82 PID 2364 wrote to memory of 3988 2364 JaffaCakes118_6b6a94ac17d74979c41f9df5dd987740.exe 82 PID 3988 wrote to memory of 4144 3988 cmd.exe 85 PID 3988 wrote to memory of 4144 3988 cmd.exe 85 PID 3988 wrote to memory of 4144 3988 cmd.exe 85 PID 4144 wrote to memory of 4424 4144 2.exe 86 PID 4144 wrote to memory of 4424 4144 2.exe 86 PID 4144 wrote to memory of 4424 4144 2.exe 86 PID 4424 wrote to memory of 4892 4424 cmd.exe 88 PID 4424 wrote to memory of 4892 4424 cmd.exe 88 PID 4424 wrote to memory of 4892 4424 cmd.exe 88 PID 4892 wrote to memory of 876 4892 1.exe 89 PID 4892 wrote to memory of 876 4892 1.exe 89 PID 4892 wrote to memory of 876 4892 1.exe 89 PID 4892 wrote to memory of 1700 4892 1.exe 91 PID 4892 wrote to memory of 1700 4892 1.exe 91 PID 4892 wrote to memory of 1700 4892 1.exe 91 PID 4892 wrote to memory of 2376 4892 1.exe 92 PID 4892 wrote to memory of 2376 4892 1.exe 92 PID 4892 wrote to memory of 2376 4892 1.exe 92 PID 4892 wrote to memory of 2376 4892 1.exe 92 PID 4892 wrote to memory of 2376 4892 1.exe 92 PID 4892 wrote to memory of 2376 4892 1.exe 92 PID 4892 wrote to memory of 2376 4892 1.exe 92 PID 4892 wrote to memory of 2376 4892 1.exe 92 PID 4892 wrote to memory of 2376 4892 1.exe 92 PID 4892 wrote to memory of 2376 4892 1.exe 92 PID 4892 wrote to memory of 2376 4892 1.exe 92 PID 4892 wrote to memory of 2376 4892 1.exe 92 PID 4892 wrote to memory of 2376 4892 1.exe 92 PID 4892 wrote to memory of 2376 4892 1.exe 92 PID 4892 wrote to memory of 2376 4892 1.exe 92 PID 4892 wrote to memory of 2376 4892 1.exe 92 PID 4892 wrote to memory of 2376 4892 1.exe 92 PID 876 wrote to memory of 1916 876 cmd.exe 94 PID 876 wrote to memory of 1916 876 cmd.exe 94 PID 876 wrote to memory of 1916 876 cmd.exe 94 PID 1700 wrote to memory of 4912 1700 cmd.exe 95 PID 1700 wrote to memory of 4912 1700 cmd.exe 95 PID 1700 wrote to memory of 4912 1700 cmd.exe 95 PID 4892 wrote to memory of 4752 4892 1.exe 96 PID 4892 wrote to memory of 4752 4892 1.exe 96 PID 4892 wrote to memory of 4752 4892 1.exe 96 PID 4752 wrote to memory of 3376 4752 msdcsc.exe 97 PID 4752 wrote to memory of 3376 4752 msdcsc.exe 97 PID 4752 wrote to memory of 3376 4752 msdcsc.exe 97 PID 4752 wrote to memory of 3376 4752 msdcsc.exe 97 PID 4752 wrote to memory of 3376 4752 msdcsc.exe 97 PID 4752 wrote to memory of 3376 4752 msdcsc.exe 97 PID 4752 wrote to memory of 3376 4752 msdcsc.exe 97 PID 4752 wrote to memory of 3376 4752 msdcsc.exe 97 PID 4752 wrote to memory of 3376 4752 msdcsc.exe 97 PID 4752 wrote to memory of 3376 4752 msdcsc.exe 97 PID 4752 wrote to memory of 3376 4752 msdcsc.exe 97 PID 4752 wrote to memory of 3376 4752 msdcsc.exe 97 PID 4752 wrote to memory of 3376 4752 msdcsc.exe 97 PID 4752 wrote to memory of 3376 4752 msdcsc.exe 97 PID 4752 wrote to memory of 3376 4752 msdcsc.exe 97 PID 4752 wrote to memory of 3376 4752 msdcsc.exe 97 PID 4752 wrote to memory of 3376 4752 msdcsc.exe 97 PID 4752 wrote to memory of 3376 4752 msdcsc.exe 97 PID 4752 wrote to memory of 3376 4752 msdcsc.exe 97 PID 4752 wrote to memory of 3376 4752 msdcsc.exe 97 -
System policy modification 1 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion msdcsc.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern msdcsc.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
pid Process 1916 attrib.exe 4912 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6b6a94ac17d74979c41f9df5dd987740.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6b6a94ac17d74979c41f9df5dd987740.exe"1⤵
- Checks computer location settings
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2364 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ztmp\t11631.bat" "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_6b6a94ac17d74979c41f9df5dd987740.exe" "2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:3988 -
C:\Users\Admin\AppData\Local\Temp\afolder\2.exe2.exe3⤵
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4144 -
C:\Windows\SysWOW64\cmd.exeC:\Windows\system32\cmd.exe /c ""C:\Users\Admin\AppData\Local\Temp\ztmp\t13571.bat" "C:\Users\Admin\AppData\Local\Temp\afolder\2.exe" "4⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:4424 -
C:\Users\Admin\AppData\Local\Temp\afolder\1.exe1.exe5⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Executes dropped EXE
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4892 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\afolder\1.exe" +s +h6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:876 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\afolder\1.exe" +s +h7⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1916
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\afolder" +s +h6⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1700 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\afolder" +s +h7⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:4912
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad6⤵
- System Location Discovery: System Language Discovery
PID:2376
-
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"6⤵
- Modifies security service
- Windows security bypass
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
- System policy modification
PID:4752 -
C:\Windows\SysWOW64\notepad.exenotepad7⤵
- System Location Discovery: System Language Discovery
PID:3376
-
-
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
1Windows Service
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
6Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
659KB
MD5a5c281dab973219f324282acea6e9d36
SHA10b295a4cfeab1953e8d0b2ee6e08c3f9002be9a0
SHA2561d473afb1ffb75541405e7c0a24673dd266eccc00d386aff67016f1bd1e8153c
SHA5123588d64d4a1bf91bc473d5734f7f7c457d2bd7d7a5e28443137410602a34ad90decf32c4bfb080ce3219cf3eede492773efc724d27f4c354bb42e9f3e36a5c8d
-
Filesize
719KB
MD537be355dc1b396e577b4fc4c10a05db0
SHA1da566574177c5e5f1b61b639454fdff20cff2996
SHA256d8b3e4f5a91aeebd08dfa46bb2269475a28d4ea21af9dbdb0a10413d38879fef
SHA512897ba71b0baad9c64a3cf228dc5bfee7cf4282277899da984ad13a79e8ec40c749de926573b3498e92234c45c970e89ab801337a53ebfa3fe6e2af58566fdc0e
-
Filesize
205B
MD533933e17f7c35079a56cf8a3e0bbc995
SHA1d3cc52bd65e17c4f125aa75d0b723f8b9ba68217
SHA25668e1629e42db2a53a40121a78f41bc36041006a197f640f2e8ab997011013be0
SHA512763cc69d43c4143697dce76abc1e54a9787eb3c58a263c682ad3d17840c4f24b88a46b8a7249b31f4425175e54c25970a5c5684c9c35303ab4a0e14f40ecd955
-
Filesize
205B
MD5d71819b55bd111f54e417f07a895d4f2
SHA198be31c1d3b7a227396cf16ad3206f2fe3f01a1e
SHA25652bef660c1697c5b44a24be4a205a1721682fd08e7fa19bfb8303bc15b8090ab
SHA51268d71b6a4b5172fce208d355ecf9aeb61fc449597c5171e3937c362b0f622b11cc39bf6a8e67098f8ab07fbb4c076f51c8fa6509f6223e6dc50a4ad9949dced3