Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
27/02/2025, 04:49
Behavioral task
behavioral1
Sample
JaffaCakes118_2ad0882bd65c724bc72a5551cfc4deac.exe
Resource
win7-20240903-en
Behavioral task
behavioral2
Sample
JaffaCakes118_2ad0882bd65c724bc72a5551cfc4deac.exe
Resource
win10v2004-20250217-en
General
-
Target
JaffaCakes118_2ad0882bd65c724bc72a5551cfc4deac.exe
-
Size
251KB
-
MD5
2ad0882bd65c724bc72a5551cfc4deac
-
SHA1
aa4ad1269bc7852513c2c09b3b83f19b62b370e4
-
SHA256
3764002f8b40e8752ba731f80116fa83adff90d1e142cd1a8973515418d97d7b
-
SHA512
f554741dc123ead7faff2342467609385f020feb12c330c8090a65635c1d3cc95322a5ef886b9e88b07f60af5920babeeb6917f016c693311cdc4db352449aee
-
SSDEEP
6144:McNYS996KFifeVjBpeExgVTFSXFoMc5RhCaL37s:McW7KEZlPzCy37
Malware Config
Extracted
darkcomet
Guest16
62.201.240.82:1604
DC_MUTEX-Q2YYCL4
-
InstallPath
MSDCSC\msdcsc.bat
-
gencode
WYKYDgPxBWPJ
-
install
true
-
offline_keylogger
true
-
password
0123456789
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.bat" JaffaCakes118_2ad0882bd65c724bc72a5551cfc4deac.exe -
Disables RegEdit via registry modification 2 IoCs
description ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" msdcsc.bat Set value (int) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" iexplore.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\Control Panel\International\Geo\Nation JaffaCakes118_2ad0882bd65c724bc72a5551cfc4deac.exe -
Executes dropped EXE 1 IoCs
pid Process 780 msdcsc.bat -
Adds Run key to start application 2 TTPs 3 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.bat" JaffaCakes118_2ad0882bd65c724bc72a5551cfc4deac.exe Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.bat" msdcsc.bat Set value (str) \REGISTRY\USER\S-1-5-21-250031470-1197856012-2659781506-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.bat" iexplore.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 780 set thread context of 3456 780 msdcsc.bat 87 -
resource yara_rule behavioral2/memory/3744-0-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/files/0x000b000000023c3e-6.dat upx behavioral2/memory/780-8-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3456-10-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/780-12-0x0000000000400000-0x00000000004B7000-memory.dmp upx behavioral2/memory/3744-15-0x0000000000400000-0x00000000004B7000-memory.dmp upx -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 4 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_2ad0882bd65c724bc72a5551cfc4deac.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.bat Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iexplore.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language notepad.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 3456 iexplore.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 3744 JaffaCakes118_2ad0882bd65c724bc72a5551cfc4deac.exe Token: SeSecurityPrivilege 3744 JaffaCakes118_2ad0882bd65c724bc72a5551cfc4deac.exe Token: SeTakeOwnershipPrivilege 3744 JaffaCakes118_2ad0882bd65c724bc72a5551cfc4deac.exe Token: SeLoadDriverPrivilege 3744 JaffaCakes118_2ad0882bd65c724bc72a5551cfc4deac.exe Token: SeSystemProfilePrivilege 3744 JaffaCakes118_2ad0882bd65c724bc72a5551cfc4deac.exe Token: SeSystemtimePrivilege 3744 JaffaCakes118_2ad0882bd65c724bc72a5551cfc4deac.exe Token: SeProfSingleProcessPrivilege 3744 JaffaCakes118_2ad0882bd65c724bc72a5551cfc4deac.exe Token: SeIncBasePriorityPrivilege 3744 JaffaCakes118_2ad0882bd65c724bc72a5551cfc4deac.exe Token: SeCreatePagefilePrivilege 3744 JaffaCakes118_2ad0882bd65c724bc72a5551cfc4deac.exe Token: SeBackupPrivilege 3744 JaffaCakes118_2ad0882bd65c724bc72a5551cfc4deac.exe Token: SeRestorePrivilege 3744 JaffaCakes118_2ad0882bd65c724bc72a5551cfc4deac.exe Token: SeShutdownPrivilege 3744 JaffaCakes118_2ad0882bd65c724bc72a5551cfc4deac.exe Token: SeDebugPrivilege 3744 JaffaCakes118_2ad0882bd65c724bc72a5551cfc4deac.exe Token: SeSystemEnvironmentPrivilege 3744 JaffaCakes118_2ad0882bd65c724bc72a5551cfc4deac.exe Token: SeChangeNotifyPrivilege 3744 JaffaCakes118_2ad0882bd65c724bc72a5551cfc4deac.exe Token: SeRemoteShutdownPrivilege 3744 JaffaCakes118_2ad0882bd65c724bc72a5551cfc4deac.exe Token: SeUndockPrivilege 3744 JaffaCakes118_2ad0882bd65c724bc72a5551cfc4deac.exe Token: SeManageVolumePrivilege 3744 JaffaCakes118_2ad0882bd65c724bc72a5551cfc4deac.exe Token: SeImpersonatePrivilege 3744 JaffaCakes118_2ad0882bd65c724bc72a5551cfc4deac.exe Token: SeCreateGlobalPrivilege 3744 JaffaCakes118_2ad0882bd65c724bc72a5551cfc4deac.exe Token: 33 3744 JaffaCakes118_2ad0882bd65c724bc72a5551cfc4deac.exe Token: 34 3744 JaffaCakes118_2ad0882bd65c724bc72a5551cfc4deac.exe Token: 35 3744 JaffaCakes118_2ad0882bd65c724bc72a5551cfc4deac.exe Token: 36 3744 JaffaCakes118_2ad0882bd65c724bc72a5551cfc4deac.exe Token: SeIncreaseQuotaPrivilege 780 msdcsc.bat Token: SeSecurityPrivilege 780 msdcsc.bat Token: SeTakeOwnershipPrivilege 780 msdcsc.bat Token: SeLoadDriverPrivilege 780 msdcsc.bat Token: SeSystemProfilePrivilege 780 msdcsc.bat Token: SeSystemtimePrivilege 780 msdcsc.bat Token: SeProfSingleProcessPrivilege 780 msdcsc.bat Token: SeIncBasePriorityPrivilege 780 msdcsc.bat Token: SeCreatePagefilePrivilege 780 msdcsc.bat Token: SeBackupPrivilege 780 msdcsc.bat Token: SeRestorePrivilege 780 msdcsc.bat Token: SeShutdownPrivilege 780 msdcsc.bat Token: SeDebugPrivilege 780 msdcsc.bat Token: SeSystemEnvironmentPrivilege 780 msdcsc.bat Token: SeChangeNotifyPrivilege 780 msdcsc.bat Token: SeRemoteShutdownPrivilege 780 msdcsc.bat Token: SeUndockPrivilege 780 msdcsc.bat Token: SeManageVolumePrivilege 780 msdcsc.bat Token: SeImpersonatePrivilege 780 msdcsc.bat Token: SeCreateGlobalPrivilege 780 msdcsc.bat Token: 33 780 msdcsc.bat Token: 34 780 msdcsc.bat Token: 35 780 msdcsc.bat Token: 36 780 msdcsc.bat Token: SeIncreaseQuotaPrivilege 3456 iexplore.exe Token: SeSecurityPrivilege 3456 iexplore.exe Token: SeTakeOwnershipPrivilege 3456 iexplore.exe Token: SeLoadDriverPrivilege 3456 iexplore.exe Token: SeSystemProfilePrivilege 3456 iexplore.exe Token: SeSystemtimePrivilege 3456 iexplore.exe Token: SeProfSingleProcessPrivilege 3456 iexplore.exe Token: SeIncBasePriorityPrivilege 3456 iexplore.exe Token: SeCreatePagefilePrivilege 3456 iexplore.exe Token: SeBackupPrivilege 3456 iexplore.exe Token: SeRestorePrivilege 3456 iexplore.exe Token: SeShutdownPrivilege 3456 iexplore.exe Token: SeDebugPrivilege 3456 iexplore.exe Token: SeSystemEnvironmentPrivilege 3456 iexplore.exe Token: SeChangeNotifyPrivilege 3456 iexplore.exe Token: SeRemoteShutdownPrivilege 3456 iexplore.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
pid Process 3456 iexplore.exe -
Suspicious use of WriteProcessMemory 30 IoCs
description pid Process procid_target PID 3744 wrote to memory of 780 3744 JaffaCakes118_2ad0882bd65c724bc72a5551cfc4deac.exe 86 PID 3744 wrote to memory of 780 3744 JaffaCakes118_2ad0882bd65c724bc72a5551cfc4deac.exe 86 PID 3744 wrote to memory of 780 3744 JaffaCakes118_2ad0882bd65c724bc72a5551cfc4deac.exe 86 PID 780 wrote to memory of 3456 780 msdcsc.bat 87 PID 780 wrote to memory of 3456 780 msdcsc.bat 87 PID 780 wrote to memory of 3456 780 msdcsc.bat 87 PID 780 wrote to memory of 3456 780 msdcsc.bat 87 PID 780 wrote to memory of 3456 780 msdcsc.bat 87 PID 3456 wrote to memory of 1192 3456 iexplore.exe 88 PID 3456 wrote to memory of 1192 3456 iexplore.exe 88 PID 3456 wrote to memory of 1192 3456 iexplore.exe 88 PID 3456 wrote to memory of 1192 3456 iexplore.exe 88 PID 3456 wrote to memory of 1192 3456 iexplore.exe 88 PID 3456 wrote to memory of 1192 3456 iexplore.exe 88 PID 3456 wrote to memory of 1192 3456 iexplore.exe 88 PID 3456 wrote to memory of 1192 3456 iexplore.exe 88 PID 3456 wrote to memory of 1192 3456 iexplore.exe 88 PID 3456 wrote to memory of 1192 3456 iexplore.exe 88 PID 3456 wrote to memory of 1192 3456 iexplore.exe 88 PID 3456 wrote to memory of 1192 3456 iexplore.exe 88 PID 3456 wrote to memory of 1192 3456 iexplore.exe 88 PID 3456 wrote to memory of 1192 3456 iexplore.exe 88 PID 3456 wrote to memory of 1192 3456 iexplore.exe 88 PID 3456 wrote to memory of 1192 3456 iexplore.exe 88 PID 3456 wrote to memory of 1192 3456 iexplore.exe 88 PID 3456 wrote to memory of 1192 3456 iexplore.exe 88 PID 3456 wrote to memory of 1192 3456 iexplore.exe 88 PID 3456 wrote to memory of 1192 3456 iexplore.exe 88 PID 3456 wrote to memory of 1192 3456 iexplore.exe 88 PID 3456 wrote to memory of 1192 3456 iexplore.exe 88
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2ad0882bd65c724bc72a5551cfc4deac.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_2ad0882bd65c724bc72a5551cfc4deac.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:3744 -
C:\Users\Admin\Documents\MSDCSC\msdcsc.bat"C:\Users\Admin\Documents\MSDCSC\msdcsc.bat"2⤵
- Disables RegEdit via registry modification
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:780 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Disables RegEdit via registry modification
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
PID:3456 -
C:\Windows\SysWOW64\notepad.exenotepad4⤵
- System Location Discovery: System Language Discovery
PID:1192
-
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
251KB
MD52ad0882bd65c724bc72a5551cfc4deac
SHA1aa4ad1269bc7852513c2c09b3b83f19b62b370e4
SHA2563764002f8b40e8752ba731f80116fa83adff90d1e142cd1a8973515418d97d7b
SHA512f554741dc123ead7faff2342467609385f020feb12c330c8090a65635c1d3cc95322a5ef886b9e88b07f60af5920babeeb6917f016c693311cdc4db352449aee