Analysis
-
max time kernel
149s -
max time network
129s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
20-02-2025 08:35
Behavioral task
behavioral1
Sample
JaffaCakes118_0aca758a485838013aca215d7392c5f0.exe
Resource
win7-20241023-en
windows7-x64
19 signatures
150 seconds
Behavioral task
behavioral2
Sample
JaffaCakes118_0aca758a485838013aca215d7392c5f0.exe
Resource
win10v2004-20250217-en
windows10-2004-x64
20 signatures
150 seconds
General
-
Target
JaffaCakes118_0aca758a485838013aca215d7392c5f0.exe
-
Size
756KB
-
MD5
0aca758a485838013aca215d7392c5f0
-
SHA1
1bc185c26c75235442230e8b6d2dd9ad091cb51a
-
SHA256
ba4d4ecfa44a0a6714c66343f3bc91bddbdcb092a6c9b6dfd92e6e08b1a633b8
-
SHA512
293e26155107057f363fa87549b3b4b224ac794c0a4c38e27d07fb7cc0cf978633981a3613a450e151fd2df000724edcc88ee6cda92e5b3323ebc3c20f14aeaf
-
SSDEEP
12288:u9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLo9Ek5C/h+qMd0QZht:6Z1xuVVjfFoynPaVBUR8f+kN10EBcD0u
Malware Config
Extracted
Family
darkcomet
Botnet
Guest16
C2
10.1.1.103:1604
Mutex
DC_MUTEX-J67DSUM
Attributes
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
x4WFiNFxDswT
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
rc4.plain
Signatures
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\MSDCSC\\msdcsc.exe" JaffaCakes118_0aca758a485838013aca215d7392c5f0.exe -
Windows security bypass 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Disables RegEdit via registry modification 1 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" msdcsc.exe -
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
pid Process 1688 attrib.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\Control Panel\International\Geo\Nation JaffaCakes118_0aca758a485838013aca215d7392c5f0.exe -
Deletes itself 1 IoCs
pid Process 1356 notepad.exe -
Executes dropped EXE 1 IoCs
pid Process 2592 msdcsc.exe -
Windows security modification 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" msdcsc.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\WOW6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" msdcsc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\MSDCSC\\msdcsc.exe" JaffaCakes118_0aca758a485838013aca215d7392c5f0.exe Set value (str) \REGISTRY\USER\S-1-5-21-925314154-1797147466-1467878628-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Drops file in Windows directory 3 IoCs
description ioc Process File created C:\Windows\MSDCSC\msdcsc.exe JaffaCakes118_0aca758a485838013aca215d7392c5f0.exe File opened for modification C:\Windows\MSDCSC\msdcsc.exe JaffaCakes118_0aca758a485838013aca215d7392c5f0.exe File opened for modification C:\Windows\MSDCSC\ JaffaCakes118_0aca758a485838013aca215d7392c5f0.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_0aca758a485838013aca215d7392c5f0.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cmd.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language attrib.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ JaffaCakes118_0aca758a485838013aca215d7392c5f0.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2592 msdcsc.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 1540 JaffaCakes118_0aca758a485838013aca215d7392c5f0.exe Token: SeSecurityPrivilege 1540 JaffaCakes118_0aca758a485838013aca215d7392c5f0.exe Token: SeTakeOwnershipPrivilege 1540 JaffaCakes118_0aca758a485838013aca215d7392c5f0.exe Token: SeLoadDriverPrivilege 1540 JaffaCakes118_0aca758a485838013aca215d7392c5f0.exe Token: SeSystemProfilePrivilege 1540 JaffaCakes118_0aca758a485838013aca215d7392c5f0.exe Token: SeSystemtimePrivilege 1540 JaffaCakes118_0aca758a485838013aca215d7392c5f0.exe Token: SeProfSingleProcessPrivilege 1540 JaffaCakes118_0aca758a485838013aca215d7392c5f0.exe Token: SeIncBasePriorityPrivilege 1540 JaffaCakes118_0aca758a485838013aca215d7392c5f0.exe Token: SeCreatePagefilePrivilege 1540 JaffaCakes118_0aca758a485838013aca215d7392c5f0.exe Token: SeBackupPrivilege 1540 JaffaCakes118_0aca758a485838013aca215d7392c5f0.exe Token: SeRestorePrivilege 1540 JaffaCakes118_0aca758a485838013aca215d7392c5f0.exe Token: SeShutdownPrivilege 1540 JaffaCakes118_0aca758a485838013aca215d7392c5f0.exe Token: SeDebugPrivilege 1540 JaffaCakes118_0aca758a485838013aca215d7392c5f0.exe Token: SeSystemEnvironmentPrivilege 1540 JaffaCakes118_0aca758a485838013aca215d7392c5f0.exe Token: SeChangeNotifyPrivilege 1540 JaffaCakes118_0aca758a485838013aca215d7392c5f0.exe Token: SeRemoteShutdownPrivilege 1540 JaffaCakes118_0aca758a485838013aca215d7392c5f0.exe Token: SeUndockPrivilege 1540 JaffaCakes118_0aca758a485838013aca215d7392c5f0.exe Token: SeManageVolumePrivilege 1540 JaffaCakes118_0aca758a485838013aca215d7392c5f0.exe Token: SeImpersonatePrivilege 1540 JaffaCakes118_0aca758a485838013aca215d7392c5f0.exe Token: SeCreateGlobalPrivilege 1540 JaffaCakes118_0aca758a485838013aca215d7392c5f0.exe Token: 33 1540 JaffaCakes118_0aca758a485838013aca215d7392c5f0.exe Token: 34 1540 JaffaCakes118_0aca758a485838013aca215d7392c5f0.exe Token: 35 1540 JaffaCakes118_0aca758a485838013aca215d7392c5f0.exe Token: 36 1540 JaffaCakes118_0aca758a485838013aca215d7392c5f0.exe Token: SeIncreaseQuotaPrivilege 2592 msdcsc.exe Token: SeSecurityPrivilege 2592 msdcsc.exe Token: SeTakeOwnershipPrivilege 2592 msdcsc.exe Token: SeLoadDriverPrivilege 2592 msdcsc.exe Token: SeSystemProfilePrivilege 2592 msdcsc.exe Token: SeSystemtimePrivilege 2592 msdcsc.exe Token: SeProfSingleProcessPrivilege 2592 msdcsc.exe Token: SeIncBasePriorityPrivilege 2592 msdcsc.exe Token: SeCreatePagefilePrivilege 2592 msdcsc.exe Token: SeBackupPrivilege 2592 msdcsc.exe Token: SeRestorePrivilege 2592 msdcsc.exe Token: SeShutdownPrivilege 2592 msdcsc.exe Token: SeDebugPrivilege 2592 msdcsc.exe Token: SeSystemEnvironmentPrivilege 2592 msdcsc.exe Token: SeChangeNotifyPrivilege 2592 msdcsc.exe Token: SeRemoteShutdownPrivilege 2592 msdcsc.exe Token: SeUndockPrivilege 2592 msdcsc.exe Token: SeManageVolumePrivilege 2592 msdcsc.exe Token: SeImpersonatePrivilege 2592 msdcsc.exe Token: SeCreateGlobalPrivilege 2592 msdcsc.exe Token: 33 2592 msdcsc.exe Token: 34 2592 msdcsc.exe Token: 35 2592 msdcsc.exe Token: 36 2592 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 2592 msdcsc.exe -
Suspicious use of WriteProcessMemory 48 IoCs
description pid Process procid_target PID 1540 wrote to memory of 2864 1540 JaffaCakes118_0aca758a485838013aca215d7392c5f0.exe 85 PID 1540 wrote to memory of 2864 1540 JaffaCakes118_0aca758a485838013aca215d7392c5f0.exe 85 PID 1540 wrote to memory of 2864 1540 JaffaCakes118_0aca758a485838013aca215d7392c5f0.exe 85 PID 1540 wrote to memory of 1356 1540 JaffaCakes118_0aca758a485838013aca215d7392c5f0.exe 86 PID 1540 wrote to memory of 1356 1540 JaffaCakes118_0aca758a485838013aca215d7392c5f0.exe 86 PID 1540 wrote to memory of 1356 1540 JaffaCakes118_0aca758a485838013aca215d7392c5f0.exe 86 PID 1540 wrote to memory of 1356 1540 JaffaCakes118_0aca758a485838013aca215d7392c5f0.exe 86 PID 1540 wrote to memory of 1356 1540 JaffaCakes118_0aca758a485838013aca215d7392c5f0.exe 86 PID 1540 wrote to memory of 1356 1540 JaffaCakes118_0aca758a485838013aca215d7392c5f0.exe 86 PID 1540 wrote to memory of 1356 1540 JaffaCakes118_0aca758a485838013aca215d7392c5f0.exe 86 PID 1540 wrote to memory of 1356 1540 JaffaCakes118_0aca758a485838013aca215d7392c5f0.exe 86 PID 1540 wrote to memory of 1356 1540 JaffaCakes118_0aca758a485838013aca215d7392c5f0.exe 86 PID 1540 wrote to memory of 1356 1540 JaffaCakes118_0aca758a485838013aca215d7392c5f0.exe 86 PID 1540 wrote to memory of 1356 1540 JaffaCakes118_0aca758a485838013aca215d7392c5f0.exe 86 PID 1540 wrote to memory of 1356 1540 JaffaCakes118_0aca758a485838013aca215d7392c5f0.exe 86 PID 1540 wrote to memory of 1356 1540 JaffaCakes118_0aca758a485838013aca215d7392c5f0.exe 86 PID 1540 wrote to memory of 1356 1540 JaffaCakes118_0aca758a485838013aca215d7392c5f0.exe 86 PID 1540 wrote to memory of 1356 1540 JaffaCakes118_0aca758a485838013aca215d7392c5f0.exe 86 PID 1540 wrote to memory of 1356 1540 JaffaCakes118_0aca758a485838013aca215d7392c5f0.exe 86 PID 1540 wrote to memory of 1356 1540 JaffaCakes118_0aca758a485838013aca215d7392c5f0.exe 86 PID 2864 wrote to memory of 1688 2864 cmd.exe 88 PID 2864 wrote to memory of 1688 2864 cmd.exe 88 PID 2864 wrote to memory of 1688 2864 cmd.exe 88 PID 1540 wrote to memory of 2592 1540 JaffaCakes118_0aca758a485838013aca215d7392c5f0.exe 90 PID 1540 wrote to memory of 2592 1540 JaffaCakes118_0aca758a485838013aca215d7392c5f0.exe 90 PID 1540 wrote to memory of 2592 1540 JaffaCakes118_0aca758a485838013aca215d7392c5f0.exe 90 PID 2592 wrote to memory of 3096 2592 msdcsc.exe 93 PID 2592 wrote to memory of 3096 2592 msdcsc.exe 93 PID 2592 wrote to memory of 3096 2592 msdcsc.exe 93 PID 2592 wrote to memory of 3096 2592 msdcsc.exe 93 PID 2592 wrote to memory of 3096 2592 msdcsc.exe 93 PID 2592 wrote to memory of 3096 2592 msdcsc.exe 93 PID 2592 wrote to memory of 3096 2592 msdcsc.exe 93 PID 2592 wrote to memory of 3096 2592 msdcsc.exe 93 PID 2592 wrote to memory of 3096 2592 msdcsc.exe 93 PID 2592 wrote to memory of 3096 2592 msdcsc.exe 93 PID 2592 wrote to memory of 3096 2592 msdcsc.exe 93 PID 2592 wrote to memory of 3096 2592 msdcsc.exe 93 PID 2592 wrote to memory of 3096 2592 msdcsc.exe 93 PID 2592 wrote to memory of 3096 2592 msdcsc.exe 93 PID 2592 wrote to memory of 3096 2592 msdcsc.exe 93 PID 2592 wrote to memory of 3096 2592 msdcsc.exe 93 PID 2592 wrote to memory of 3096 2592 msdcsc.exe 93 PID 2592 wrote to memory of 3096 2592 msdcsc.exe 93 PID 2592 wrote to memory of 3096 2592 msdcsc.exe 93 PID 2592 wrote to memory of 3096 2592 msdcsc.exe 93 PID 2592 wrote to memory of 3096 2592 msdcsc.exe 93 PID 2592 wrote to memory of 3096 2592 msdcsc.exe 93 -
Views/modifies file attributes 1 TTPs 1 IoCs
pid Process 1688 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0aca758a485838013aca215d7392c5f0.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0aca758a485838013aca215d7392c5f0.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1540 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0aca758a485838013aca215d7392c5f0.exe" +s +h2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2864 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_0aca758a485838013aca215d7392c5f0.exe" +s +h3⤵
- Sets file to hidden
- System Location Discovery: System Language Discovery
- Views/modifies file attributes
PID:1688
-
-
-
C:\Windows\SysWOW64\notepad.exenotepad2⤵
- Deletes itself
- System Location Discovery: System Language Discovery
PID:1356
-
-
C:\Windows\MSDCSC\msdcsc.exe"C:\Windows\MSDCSC\msdcsc.exe"2⤵
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:2592 -
C:\Windows\SysWOW64\notepad.exenotepad3⤵
- System Location Discovery: System Language Discovery
PID:3096
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Defense Evasion
Hide Artifacts
2Hidden Files and Directories
2Impair Defenses
2Disable or Modify Tools
2Modify Registry
4Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
756KB
MD50aca758a485838013aca215d7392c5f0
SHA11bc185c26c75235442230e8b6d2dd9ad091cb51a
SHA256ba4d4ecfa44a0a6714c66343f3bc91bddbdcb092a6c9b6dfd92e6e08b1a633b8
SHA512293e26155107057f363fa87549b3b4b224ac794c0a4c38e27d07fb7cc0cf978633981a3613a450e151fd2df000724edcc88ee6cda92e5b3323ebc3c20f14aeaf