Analysis
-
max time kernel
150s -
max time network
19s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
26/02/2025, 05:13
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
JaffaCakes118_23de3272cd0d500bf30c60ceaf052263.exe
Resource
win7-20241010-en
windows7-x64
12 signatures
150 seconds
General
-
Target
JaffaCakes118_23de3272cd0d500bf30c60ceaf052263.exe
-
Size
802KB
-
MD5
23de3272cd0d500bf30c60ceaf052263
-
SHA1
95e2fc70e1e4460b8c4d3ce6d88c32003ae88ad4
-
SHA256
6ab8ee60f32be9888a13765e4b15f88e60ed5a5fe0e783989cad192952c5f3ae
-
SHA512
aedb4e0596230f92197436f9e97b978594e579dfa3337917da335c4e8e1d4700073329857ca072a4f05dea6e81a95631abe29759b857b447c9149fdaa633a305
-
SSDEEP
24576:HdlTX3yCFJymZYnVrG2cQy6VjJYWw70+/:bTX3yC3ZYnVFzox/
Malware Config
Extracted
Family
darkcomet
Attributes
- gencode
-
install
false
-
offline_keylogger
false
-
persistence
false
rc4.plain
Extracted
Family
darkcomet
Botnet
Guest16
C2
h4xinc70.no-ip.org:20112
Mutex
DC_MUTEX-FAMJLZW
Attributes
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
$i$HD$YCZ3RG
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
rc4.plain
Signatures
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" AppLaunch.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" AppLaunch.exe -
Executes dropped EXE 4 IoCs
pid Process 2252 nvSCvAPISvr.exe 1416 SiaPort.exe 2108 msdcsc.exe 2232 msdcsc.exe -
Loads dropped DLL 6 IoCs
pid Process 1680 JaffaCakes118_23de3272cd0d500bf30c60ceaf052263.exe 1680 JaffaCakes118_23de3272cd0d500bf30c60ceaf052263.exe 2156 AppLaunch.exe 2252 nvSCvAPISvr.exe 2252 nvSCvAPISvr.exe 2216 AppLaunch.exe -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" AppLaunch.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\Microsoft® Windows® Operating System = "C:\\Users\\Admin\\AppData\\Local\\Temp\\System\\nvSCvAPISvr.exe" nvSCvAPISvr.exe Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" AppLaunch.exe -
Suspicious use of SetThreadContext 2 IoCs
description pid Process procid_target PID 1680 set thread context of 2156 1680 JaffaCakes118_23de3272cd0d500bf30c60ceaf052263.exe 30 PID 1416 set thread context of 2216 1416 SiaPort.exe 34 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 7 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_23de3272cd0d500bf30c60ceaf052263.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AppLaunch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language nvSCvAPISvr.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language SiaPort.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language AppLaunch.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe -
Suspicious behavior: EnumeratesProcesses 64 IoCs
pid Process 1680 JaffaCakes118_23de3272cd0d500bf30c60ceaf052263.exe 2252 nvSCvAPISvr.exe 1416 SiaPort.exe 1680 JaffaCakes118_23de3272cd0d500bf30c60ceaf052263.exe 2252 nvSCvAPISvr.exe 1416 SiaPort.exe 1680 JaffaCakes118_23de3272cd0d500bf30c60ceaf052263.exe 2252 nvSCvAPISvr.exe 1416 SiaPort.exe 1680 JaffaCakes118_23de3272cd0d500bf30c60ceaf052263.exe 2252 nvSCvAPISvr.exe 1416 SiaPort.exe 1680 JaffaCakes118_23de3272cd0d500bf30c60ceaf052263.exe 2252 nvSCvAPISvr.exe 1416 SiaPort.exe 1680 JaffaCakes118_23de3272cd0d500bf30c60ceaf052263.exe 2252 nvSCvAPISvr.exe 1416 SiaPort.exe 1680 JaffaCakes118_23de3272cd0d500bf30c60ceaf052263.exe 2252 nvSCvAPISvr.exe 1416 SiaPort.exe 1680 JaffaCakes118_23de3272cd0d500bf30c60ceaf052263.exe 2252 nvSCvAPISvr.exe 1416 SiaPort.exe 1680 JaffaCakes118_23de3272cd0d500bf30c60ceaf052263.exe 2252 nvSCvAPISvr.exe 1416 SiaPort.exe 1680 JaffaCakes118_23de3272cd0d500bf30c60ceaf052263.exe 2252 nvSCvAPISvr.exe 1416 SiaPort.exe 1680 JaffaCakes118_23de3272cd0d500bf30c60ceaf052263.exe 2252 nvSCvAPISvr.exe 1416 SiaPort.exe 1680 JaffaCakes118_23de3272cd0d500bf30c60ceaf052263.exe 2252 nvSCvAPISvr.exe 1416 SiaPort.exe 1680 JaffaCakes118_23de3272cd0d500bf30c60ceaf052263.exe 2252 nvSCvAPISvr.exe 1416 SiaPort.exe 1680 JaffaCakes118_23de3272cd0d500bf30c60ceaf052263.exe 2252 nvSCvAPISvr.exe 1416 SiaPort.exe 1680 JaffaCakes118_23de3272cd0d500bf30c60ceaf052263.exe 2252 nvSCvAPISvr.exe 1416 SiaPort.exe 1680 JaffaCakes118_23de3272cd0d500bf30c60ceaf052263.exe 2252 nvSCvAPISvr.exe 1416 SiaPort.exe 1680 JaffaCakes118_23de3272cd0d500bf30c60ceaf052263.exe 2252 nvSCvAPISvr.exe 1416 SiaPort.exe 1680 JaffaCakes118_23de3272cd0d500bf30c60ceaf052263.exe 2252 nvSCvAPISvr.exe 1416 SiaPort.exe 1680 JaffaCakes118_23de3272cd0d500bf30c60ceaf052263.exe 2252 nvSCvAPISvr.exe 1416 SiaPort.exe 1680 JaffaCakes118_23de3272cd0d500bf30c60ceaf052263.exe 2252 nvSCvAPISvr.exe 1416 SiaPort.exe 1680 JaffaCakes118_23de3272cd0d500bf30c60ceaf052263.exe 2252 nvSCvAPISvr.exe 1416 SiaPort.exe 1680 JaffaCakes118_23de3272cd0d500bf30c60ceaf052263.exe -
Suspicious use of AdjustPrivilegeToken 49 IoCs
description pid Process Token: SeDebugPrivilege 1680 JaffaCakes118_23de3272cd0d500bf30c60ceaf052263.exe Token: SeIncreaseQuotaPrivilege 2156 AppLaunch.exe Token: SeSecurityPrivilege 2156 AppLaunch.exe Token: SeTakeOwnershipPrivilege 2156 AppLaunch.exe Token: SeLoadDriverPrivilege 2156 AppLaunch.exe Token: SeSystemProfilePrivilege 2156 AppLaunch.exe Token: SeSystemtimePrivilege 2156 AppLaunch.exe Token: SeProfSingleProcessPrivilege 2156 AppLaunch.exe Token: SeIncBasePriorityPrivilege 2156 AppLaunch.exe Token: SeCreatePagefilePrivilege 2156 AppLaunch.exe Token: SeBackupPrivilege 2156 AppLaunch.exe Token: SeRestorePrivilege 2156 AppLaunch.exe Token: SeShutdownPrivilege 2156 AppLaunch.exe Token: SeDebugPrivilege 2156 AppLaunch.exe Token: SeSystemEnvironmentPrivilege 2156 AppLaunch.exe Token: SeChangeNotifyPrivilege 2156 AppLaunch.exe Token: SeRemoteShutdownPrivilege 2156 AppLaunch.exe Token: SeUndockPrivilege 2156 AppLaunch.exe Token: SeManageVolumePrivilege 2156 AppLaunch.exe Token: SeImpersonatePrivilege 2156 AppLaunch.exe Token: SeCreateGlobalPrivilege 2156 AppLaunch.exe Token: 33 2156 AppLaunch.exe Token: 34 2156 AppLaunch.exe Token: 35 2156 AppLaunch.exe Token: SeDebugPrivilege 2252 nvSCvAPISvr.exe Token: SeDebugPrivilege 1416 SiaPort.exe Token: SeIncreaseQuotaPrivilege 2216 AppLaunch.exe Token: SeSecurityPrivilege 2216 AppLaunch.exe Token: SeTakeOwnershipPrivilege 2216 AppLaunch.exe Token: SeLoadDriverPrivilege 2216 AppLaunch.exe Token: SeSystemProfilePrivilege 2216 AppLaunch.exe Token: SeSystemtimePrivilege 2216 AppLaunch.exe Token: SeProfSingleProcessPrivilege 2216 AppLaunch.exe Token: SeIncBasePriorityPrivilege 2216 AppLaunch.exe Token: SeCreatePagefilePrivilege 2216 AppLaunch.exe Token: SeBackupPrivilege 2216 AppLaunch.exe Token: SeRestorePrivilege 2216 AppLaunch.exe Token: SeShutdownPrivilege 2216 AppLaunch.exe Token: SeDebugPrivilege 2216 AppLaunch.exe Token: SeSystemEnvironmentPrivilege 2216 AppLaunch.exe Token: SeChangeNotifyPrivilege 2216 AppLaunch.exe Token: SeRemoteShutdownPrivilege 2216 AppLaunch.exe Token: SeUndockPrivilege 2216 AppLaunch.exe Token: SeManageVolumePrivilege 2216 AppLaunch.exe Token: SeImpersonatePrivilege 2216 AppLaunch.exe Token: SeCreateGlobalPrivilege 2216 AppLaunch.exe Token: 33 2216 AppLaunch.exe Token: 34 2216 AppLaunch.exe Token: 35 2216 AppLaunch.exe -
Suspicious use of WriteProcessMemory 54 IoCs
description pid Process procid_target PID 1680 wrote to memory of 2156 1680 JaffaCakes118_23de3272cd0d500bf30c60ceaf052263.exe 30 PID 1680 wrote to memory of 2156 1680 JaffaCakes118_23de3272cd0d500bf30c60ceaf052263.exe 30 PID 1680 wrote to memory of 2156 1680 JaffaCakes118_23de3272cd0d500bf30c60ceaf052263.exe 30 PID 1680 wrote to memory of 2156 1680 JaffaCakes118_23de3272cd0d500bf30c60ceaf052263.exe 30 PID 1680 wrote to memory of 2156 1680 JaffaCakes118_23de3272cd0d500bf30c60ceaf052263.exe 30 PID 1680 wrote to memory of 2156 1680 JaffaCakes118_23de3272cd0d500bf30c60ceaf052263.exe 30 PID 1680 wrote to memory of 2156 1680 JaffaCakes118_23de3272cd0d500bf30c60ceaf052263.exe 30 PID 1680 wrote to memory of 2156 1680 JaffaCakes118_23de3272cd0d500bf30c60ceaf052263.exe 30 PID 1680 wrote to memory of 2156 1680 JaffaCakes118_23de3272cd0d500bf30c60ceaf052263.exe 30 PID 1680 wrote to memory of 2156 1680 JaffaCakes118_23de3272cd0d500bf30c60ceaf052263.exe 30 PID 1680 wrote to memory of 2156 1680 JaffaCakes118_23de3272cd0d500bf30c60ceaf052263.exe 30 PID 1680 wrote to memory of 2156 1680 JaffaCakes118_23de3272cd0d500bf30c60ceaf052263.exe 30 PID 1680 wrote to memory of 2156 1680 JaffaCakes118_23de3272cd0d500bf30c60ceaf052263.exe 30 PID 1680 wrote to memory of 2156 1680 JaffaCakes118_23de3272cd0d500bf30c60ceaf052263.exe 30 PID 1680 wrote to memory of 2156 1680 JaffaCakes118_23de3272cd0d500bf30c60ceaf052263.exe 30 PID 1680 wrote to memory of 2156 1680 JaffaCakes118_23de3272cd0d500bf30c60ceaf052263.exe 30 PID 1680 wrote to memory of 2252 1680 JaffaCakes118_23de3272cd0d500bf30c60ceaf052263.exe 31 PID 1680 wrote to memory of 2252 1680 JaffaCakes118_23de3272cd0d500bf30c60ceaf052263.exe 31 PID 1680 wrote to memory of 2252 1680 JaffaCakes118_23de3272cd0d500bf30c60ceaf052263.exe 31 PID 1680 wrote to memory of 2252 1680 JaffaCakes118_23de3272cd0d500bf30c60ceaf052263.exe 31 PID 2156 wrote to memory of 2108 2156 AppLaunch.exe 32 PID 2156 wrote to memory of 2108 2156 AppLaunch.exe 32 PID 2156 wrote to memory of 2108 2156 AppLaunch.exe 32 PID 2156 wrote to memory of 2108 2156 AppLaunch.exe 32 PID 2156 wrote to memory of 2108 2156 AppLaunch.exe 32 PID 2156 wrote to memory of 2108 2156 AppLaunch.exe 32 PID 2252 wrote to memory of 1416 2252 nvSCvAPISvr.exe 33 PID 2252 wrote to memory of 1416 2252 nvSCvAPISvr.exe 33 PID 2252 wrote to memory of 1416 2252 nvSCvAPISvr.exe 33 PID 2252 wrote to memory of 1416 2252 nvSCvAPISvr.exe 33 PID 2156 wrote to memory of 2108 2156 AppLaunch.exe 32 PID 1416 wrote to memory of 2216 1416 SiaPort.exe 34 PID 1416 wrote to memory of 2216 1416 SiaPort.exe 34 PID 1416 wrote to memory of 2216 1416 SiaPort.exe 34 PID 1416 wrote to memory of 2216 1416 SiaPort.exe 34 PID 1416 wrote to memory of 2216 1416 SiaPort.exe 34 PID 1416 wrote to memory of 2216 1416 SiaPort.exe 34 PID 1416 wrote to memory of 2216 1416 SiaPort.exe 34 PID 1416 wrote to memory of 2216 1416 SiaPort.exe 34 PID 1416 wrote to memory of 2216 1416 SiaPort.exe 34 PID 1416 wrote to memory of 2216 1416 SiaPort.exe 34 PID 1416 wrote to memory of 2216 1416 SiaPort.exe 34 PID 1416 wrote to memory of 2216 1416 SiaPort.exe 34 PID 1416 wrote to memory of 2216 1416 SiaPort.exe 34 PID 1416 wrote to memory of 2216 1416 SiaPort.exe 34 PID 1416 wrote to memory of 2216 1416 SiaPort.exe 34 PID 1416 wrote to memory of 2216 1416 SiaPort.exe 34 PID 2216 wrote to memory of 2232 2216 AppLaunch.exe 35 PID 2216 wrote to memory of 2232 2216 AppLaunch.exe 35 PID 2216 wrote to memory of 2232 2216 AppLaunch.exe 35 PID 2216 wrote to memory of 2232 2216 AppLaunch.exe 35 PID 2216 wrote to memory of 2232 2216 AppLaunch.exe 35 PID 2216 wrote to memory of 2232 2216 AppLaunch.exe 35 PID 2216 wrote to memory of 2232 2216 AppLaunch.exe 35
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_23de3272cd0d500bf30c60ceaf052263.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_23de3272cd0d500bf30c60ceaf052263.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1680 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe2⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2156 -
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2108
-
-
-
C:\Users\Admin\AppData\Local\Temp\System\nvSCvAPISvr.exe"C:\Users\Admin\AppData\Local\Temp\System\nvSCvAPISvr.exe"2⤵
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2252 -
C:\Users\Admin\AppData\Local\Temp\System\SiaPort.exe"C:\Users\Admin\AppData\Local\Temp\System\SiaPort.exe"3⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1416 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\AppLaunch.exe4⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2216 -
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"5⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2232
-
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
802KB
MD523de3272cd0d500bf30c60ceaf052263
SHA195e2fc70e1e4460b8c4d3ce6d88c32003ae88ad4
SHA2566ab8ee60f32be9888a13765e4b15f88e60ed5a5fe0e783989cad192952c5f3ae
SHA512aedb4e0596230f92197436f9e97b978594e579dfa3337917da335c4e8e1d4700073329857ca072a4f05dea6e81a95631abe29759b857b447c9149fdaa633a305
-
Filesize
23KB
MD5d951441b22e739047bcf51e663d20e6c
SHA112ac40540762c32308944e51d781d3ca8b2dfc0e
SHA2564d17dc5e4a2a261372ee650c9cd44a54d932c0db752ebe91e4353159114d6596
SHA51255ea6acd8d3dad5b2bce197aac186f5232f30610638f8243370f1017b9b3ffce79a6b5c84cc548fc9050793683e30fddb632447dfd56e04b925ce4cab76b8fd0
-
Filesize
54KB
MD50f01571a3e4c71eb4313175aae86488e
SHA12ba648afe2cd52edf5f25e304f77d457abf7ac0e
SHA2568cc51c4c2efc8c6a401aa83a0aeced0925d5d9d2a43192f35561893cdf704022
SHA512159dfbb7d385bf92f4fc48ca389b89d69f6c2616e90dfa056e725d7da78a3702694a28f9c5cab7b55adc4d4dbd7bfe5d272c8b1c9931e3ac95f6326d74576794