Analysis
-
max time kernel
148s -
max time network
154s -
platform
windows10-2004_x64 -
resource
win10v2004-20241007-en -
resource tags
arch:x64arch:x86image:win10v2004-20241007-enlocale:en-usos:windows10-2004-x64system -
submitted
04-01-2025 03:21
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe
Resource
win10v2004-20241007-en
General
-
Target
JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe
-
Size
333KB
-
MD5
775098a7a37f647bfd8e1f939d8771df
-
SHA1
4c5147d5d16c3cd1d9b790f07d06084807cb14af
-
SHA256
c88f8c13f73d0ee32d0b3a83fce6a383e74234d2ae7fa58bae07cacf0946ff4a
-
SHA512
b34dea42013c8318b64075332d7a2f8b46f9609ffb759aa659ba2b9f1edc473940e973616ea2e406680920d2750718cc47ae8825a600e2b02505ba8932476b3d
-
SSDEEP
6144:4iEoiNcdTzZrcxrHHTMXcqEjSrKmwToZ5n:LPiKdTtrYDHTaFmBK
Malware Config
Extracted
darkcomet
Genesis999
ipkiller.zapto.org:100
DC-HUMVLEETPWP94P
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
9JpvAVQtk01b
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe -
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe Set value (int) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" msdcsc.exe -
Disables Task Manager via registry modification
-
Checks computer location settings 2 TTPs 3 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation msdcsc.exe Key value queried \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\Control Panel\International\Geo\Nation JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe -
Executes dropped EXE 1 IoCs
pid Process 4088 msdcsc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 1404 set thread context of 3764 1404 JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe 90 -
resource yara_rule behavioral2/memory/3764-7-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3764-9-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3764-10-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3764-12-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3764-11-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 9 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language WScript.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language REG.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe -
Modifies registry class 2 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe Key created \REGISTRY\USER\S-1-5-21-2437139445-1151884604-3026847218-1000_Classes\Local Settings msdcsc.exe -
Modifies registry key 1 TTPs 4 IoCs
pid Process 2988 REG.exe 3736 REG.exe 3228 REG.exe 2648 REG.exe -
Suspicious use of AdjustPrivilegeToken 26 IoCs
description pid Process Token: SeDebugPrivilege 1404 JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe Token: SeIncreaseQuotaPrivilege 3764 JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe Token: SeSecurityPrivilege 3764 JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe Token: SeTakeOwnershipPrivilege 3764 JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe Token: SeLoadDriverPrivilege 3764 JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe Token: SeSystemProfilePrivilege 3764 JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe Token: SeSystemtimePrivilege 3764 JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe Token: SeProfSingleProcessPrivilege 3764 JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe Token: SeIncBasePriorityPrivilege 3764 JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe Token: SeCreatePagefilePrivilege 3764 JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe Token: SeBackupPrivilege 3764 JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe Token: SeRestorePrivilege 3764 JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe Token: SeShutdownPrivilege 3764 JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe Token: SeDebugPrivilege 3764 JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe Token: SeSystemEnvironmentPrivilege 3764 JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe Token: SeChangeNotifyPrivilege 3764 JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe Token: SeRemoteShutdownPrivilege 3764 JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe Token: SeUndockPrivilege 3764 JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe Token: SeManageVolumePrivilege 3764 JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe Token: SeImpersonatePrivilege 3764 JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe Token: SeCreateGlobalPrivilege 3764 JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe Token: 33 3764 JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe Token: 34 3764 JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe Token: 35 3764 JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe Token: 36 3764 JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe Token: SeDebugPrivilege 4088 msdcsc.exe -
Suspicious use of WriteProcessMemory 32 IoCs
description pid Process procid_target PID 1404 wrote to memory of 3764 1404 JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe 90 PID 1404 wrote to memory of 3764 1404 JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe 90 PID 1404 wrote to memory of 3764 1404 JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe 90 PID 1404 wrote to memory of 3764 1404 JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe 90 PID 1404 wrote to memory of 3764 1404 JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe 90 PID 1404 wrote to memory of 3764 1404 JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe 90 PID 1404 wrote to memory of 3764 1404 JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe 90 PID 1404 wrote to memory of 3764 1404 JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe 90 PID 1404 wrote to memory of 2456 1404 JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe 91 PID 1404 wrote to memory of 2456 1404 JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe 91 PID 1404 wrote to memory of 2456 1404 JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe 91 PID 1404 wrote to memory of 3736 1404 JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe 92 PID 1404 wrote to memory of 3736 1404 JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe 92 PID 1404 wrote to memory of 3736 1404 JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe 92 PID 1404 wrote to memory of 2988 1404 JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe 93 PID 1404 wrote to memory of 2988 1404 JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe 93 PID 1404 wrote to memory of 2988 1404 JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe 93 PID 3764 wrote to memory of 4088 3764 JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe 96 PID 3764 wrote to memory of 4088 3764 JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe 96 PID 3764 wrote to memory of 4088 3764 JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe 96 PID 4088 wrote to memory of 2096 4088 msdcsc.exe 105 PID 4088 wrote to memory of 2096 4088 msdcsc.exe 105 PID 4088 wrote to memory of 2096 4088 msdcsc.exe 105 PID 4088 wrote to memory of 5040 4088 msdcsc.exe 106 PID 4088 wrote to memory of 5040 4088 msdcsc.exe 106 PID 4088 wrote to memory of 5040 4088 msdcsc.exe 106 PID 4088 wrote to memory of 2648 4088 msdcsc.exe 107 PID 4088 wrote to memory of 2648 4088 msdcsc.exe 107 PID 4088 wrote to memory of 2648 4088 msdcsc.exe 107 PID 4088 wrote to memory of 3228 4088 msdcsc.exe 108 PID 4088 wrote to memory of 3228 4088 msdcsc.exe 108 PID 4088 wrote to memory of 3228 4088 msdcsc.exe 108
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe"1⤵
- Disables RegEdit via registry modification
- Checks computer location settings
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1404 -
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exeC:\Users\Admin\AppData\Local\Temp\JaffaCakes118_775098a7a37f647bfd8e1f939d8771df.exe2⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3764 -
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"3⤵
- Disables RegEdit via registry modification
- Checks computer location settings
- Executes dropped EXE
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:4088 -
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeC:\Users\Admin\Documents\MSDCSC\msdcsc.exe4⤵PID:2096
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\XoymS.vbs"4⤵
- System Location Discovery: System Language Discovery
PID:5040
-
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoControlPanel /t REG_DWORD /d 0 /f4⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2648
-
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f4⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:3228
-
-
-
-
C:\Windows\SysWOW64\WScript.exe"C:\Windows\System32\WScript.exe" "C:\Users\Admin\AppData\Roaming\XoymS.vbs"2⤵
- System Location Discovery: System Language Discovery
PID:2456
-
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoControlPanel /t REG_DWORD /d 0 /f2⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:3736
-
-
C:\Windows\SysWOW64\REG.exeREG add HKCU\Software\Microsoft\Windows\CurrentVersion\Policies\Explorer /v NoRun /t REG_DWORD /d 1 /f2⤵
- System Location Discovery: System Language Discovery
- Modifies registry key
PID:2988
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
405B
MD53f15ac4f6dfba7f653788de5b9101ebc
SHA14ef9e50ba823249e50df563e5fdfaaf4e13ad041
SHA2563bde2f11a96ee13e4b2cf06f1728730d8163b71d011dc9beb1bf0d659220b37b
SHA5126ef0b58f301b76dff08c89c4af2fddc87689c0744ab59f81e0ad7294df1bd331ad400800cfbe21727527b3415f0a6b6be0cf54daa00368fd48e59d59859df8c0
-
Filesize
333KB
MD5775098a7a37f647bfd8e1f939d8771df
SHA14c5147d5d16c3cd1d9b790f07d06084807cb14af
SHA256c88f8c13f73d0ee32d0b3a83fce6a383e74234d2ae7fa58bae07cacf0946ff4a
SHA512b34dea42013c8318b64075332d7a2f8b46f9609ffb759aa659ba2b9f1edc473940e973616ea2e406680920d2750718cc47ae8825a600e2b02505ba8932476b3d