Analysis
-
max time kernel
144s -
max time network
130s -
platform
windows10-2004_x64 -
resource
win10v2004-20250217-en -
resource tags
arch:x64arch:x86image:win10v2004-20250217-enlocale:en-usos:windows10-2004-x64system -
submitted
01/03/2025, 06:31
Static task
static1
Behavioral task
behavioral1
Sample
JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe
Resource
win7-20240729-en
General
-
Target
JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe
-
Size
1.4MB
-
MD5
374e6afe24154e3613673122861ce0cf
-
SHA1
2cfd69c9bb0f9f20ebe971c1dfe909fb11601a75
-
SHA256
ae3507004a75fcdd9a75b8453ef276328cf089476ce0d840c027feaf0056f13d
-
SHA512
b887235ab7852a5f4073b67fe5b89034c0741cf87dfe4541caf3974a0322e9c0784010a86d2e8eedaad73cf058b2f8d11be5f212730b4ff388613d13d9ef81ae
-
SSDEEP
24576:+R3lQvH82TNdxtlF2jx1JT7ySLrJ7BcBBTXjYkhFH5tMdzFpLgitgN:8lQvH3dozB7ySPryTTnFHPED1g
Malware Config
Extracted
darkcomet
Guest16
127.0.0.1:200
michaelmichael.myftp.org:200
DC_MUTEX-L8WW51F
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
WcQCytYXn2FT
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" vbc.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
description ioc Process Key value queried \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\Control Panel\International\Geo\Nation JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe -
Drops startup file 2 IoCs
description ioc Process File opened for modification C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe 246535.exe File created C:\Users\Admin\AppData\Roaming\Microsoft\Windows\Start Menu\Programs\Startup\JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe 246535.exe -
Executes dropped EXE 2 IoCs
pid Process 2668 msdcsc.exe 4356 246535.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1170604239-850860757-3112005715-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" vbc.exe -
Drops desktop.ini file(s) 2 IoCs
description ioc Process File created C:\Windows\assembly\Desktop.ini JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe File opened for modification C:\Windows\assembly\Desktop.ini JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2312 set thread context of 2556 2312 JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe 87 -
Drops file in Windows directory 3 IoCs
description ioc Process File opened for modification C:\Windows\assembly JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe File created C:\Windows\assembly\Desktop.ini JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe File opened for modification C:\Windows\assembly\Desktop.ini JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 6 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language cvtres.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language 246535.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language vbc.exe -
Modifies registry class 1 IoCs
description ioc Process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ vbc.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2556 vbc.exe Token: SeSecurityPrivilege 2556 vbc.exe Token: SeTakeOwnershipPrivilege 2556 vbc.exe Token: SeLoadDriverPrivilege 2556 vbc.exe Token: SeSystemProfilePrivilege 2556 vbc.exe Token: SeSystemtimePrivilege 2556 vbc.exe Token: SeProfSingleProcessPrivilege 2556 vbc.exe Token: SeIncBasePriorityPrivilege 2556 vbc.exe Token: SeCreatePagefilePrivilege 2556 vbc.exe Token: SeBackupPrivilege 2556 vbc.exe Token: SeRestorePrivilege 2556 vbc.exe Token: SeShutdownPrivilege 2556 vbc.exe Token: SeDebugPrivilege 2556 vbc.exe Token: SeSystemEnvironmentPrivilege 2556 vbc.exe Token: SeChangeNotifyPrivilege 2556 vbc.exe Token: SeRemoteShutdownPrivilege 2556 vbc.exe Token: SeUndockPrivilege 2556 vbc.exe Token: SeManageVolumePrivilege 2556 vbc.exe Token: SeImpersonatePrivilege 2556 vbc.exe Token: SeCreateGlobalPrivilege 2556 vbc.exe Token: 33 2556 vbc.exe Token: 34 2556 vbc.exe Token: 35 2556 vbc.exe Token: 36 2556 vbc.exe -
Suspicious use of WriteProcessMemory 26 IoCs
description pid Process procid_target PID 2312 wrote to memory of 2556 2312 JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe 87 PID 2312 wrote to memory of 2556 2312 JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe 87 PID 2312 wrote to memory of 2556 2312 JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe 87 PID 2312 wrote to memory of 2556 2312 JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe 87 PID 2312 wrote to memory of 2556 2312 JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe 87 PID 2312 wrote to memory of 2556 2312 JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe 87 PID 2312 wrote to memory of 2556 2312 JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe 87 PID 2312 wrote to memory of 2556 2312 JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe 87 PID 2312 wrote to memory of 2556 2312 JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe 87 PID 2312 wrote to memory of 2556 2312 JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe 87 PID 2312 wrote to memory of 2556 2312 JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe 87 PID 2312 wrote to memory of 2556 2312 JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe 87 PID 2312 wrote to memory of 2556 2312 JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe 87 PID 2312 wrote to memory of 2556 2312 JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe 87 PID 2312 wrote to memory of 1692 2312 JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe 88 PID 2312 wrote to memory of 1692 2312 JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe 88 PID 2312 wrote to memory of 1692 2312 JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe 88 PID 1692 wrote to memory of 3672 1692 vbc.exe 90 PID 1692 wrote to memory of 3672 1692 vbc.exe 90 PID 1692 wrote to memory of 3672 1692 vbc.exe 90 PID 2556 wrote to memory of 2668 2556 vbc.exe 91 PID 2556 wrote to memory of 2668 2556 vbc.exe 91 PID 2556 wrote to memory of 2668 2556 vbc.exe 91 PID 2312 wrote to memory of 4356 2312 JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe 97 PID 2312 wrote to memory of 4356 2312 JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe 97 PID 2312 wrote to memory of 4356 2312 JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe 97
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_374e6afe24154e3613673122861ce0cf.exe"1⤵
- Checks computer location settings
- Drops desktop.ini file(s)
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:2312 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe2⤵
- Modifies WinLogon for persistence
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2556 -
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"3⤵
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:2668
-
-
-
C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe"C:\Windows\Microsoft.NET\Framework\v2.0.50727\vbc.exe" /noconfig @"C:\Users\Admin\AppData\Local\Temp\wg1flxsj.cmdline"2⤵
- System Location Discovery: System Language Discovery
- Suspicious use of WriteProcessMemory
PID:1692 -
C:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exeC:\Windows\Microsoft.NET\Framework\v2.0.50727\cvtres.exe /NOLOGO /READONLY /MACHINE:IX86 "/OUT:C:\Users\Admin\AppData\Local\Temp\RES10A0.tmp" "C:\Users\Admin\AppData\Local\Temp\vbcE6C442FDB7514821B5B3546D3AB8B4A6.TMP"3⤵
- System Location Discovery: System Language Discovery
PID:3672
-
-
-
C:\Users\Admin\AppData\Roaming\246535.exe"C:\Users\Admin\AppData\Roaming\246535.exe"2⤵
- Drops startup file
- Executes dropped EXE
- System Location Discovery: System Language Discovery
PID:4356
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
1KB
MD5e1c60275e242fff8001bcb7c9c23e34b
SHA13a4c069c6751c54828874df05d09e7f11e322228
SHA2568f0bb6401a89267e375ef282651679bb448ac0141423759ffd95b7a6f160ccb3
SHA512c9e77a1cded24b1aefa50e47563d77ee30da69d9d6b7584c2c7323561bc7f01fee99d5baf5e54342d57801e3e40cfb60e3b8a281427eb5347852b3f3968646fd
-
Filesize
880B
MD5459f17fff65bc1f8d8f876e58626f93f
SHA1984986836d1bfe17c5bce7939bb96f08ca5ea182
SHA256852e11326fe00a3ce5affd5dbb6258a4e5c6956e2c2654c7371e6c73b1644cd0
SHA512312c9a9507c37087d2799ae062723651e752c50fe3bb43cd42d214fcb830c3d6196d24dad0812a1bc14700175689a6aa21db411623fe432071191801182c0e93
-
Filesize
1KB
MD526b5026eab85d8e3d21427ffeba6c8a3
SHA1b2361ad23c266730e9af34500be54ff9391961b7
SHA256d36997f507d4ca2e49640d979b558b819fe494ecaa678d587fe19f8d018d68ca
SHA5124306e5e1b4657c55dced4ec2428edff313672fd675af197eee25ca7306a5512f8df7f42fab2253614f6a851c1f44ca3793fa062fdc199a8bf7647c89c723559d
-
Filesize
234B
MD5f7cc3e92b0cad61d8238100483da1f2e
SHA16ade823dea52af3f83853e06eac52dcd377de710
SHA25619e98299b48a4136ce17dcd60a47027079b262ffa718aab27c432bfb778152f5
SHA512dd054c219d9a1939d6cc64c77a19a1748f3cfe1d4785c6a0dbf92ddea8cc3e10b9d14ccf86049da218b068de4963ea800e73476134218b7cde5bf033a976364d
-
Filesize
7KB
MD5e08e1baaee539c9a015b7b986dd2e344
SHA1513e172e1574b3cf6d44ec2b8f4881ae69e97201
SHA256e38c599dcd27791a425d66c4f2e112b8a2788a84ef0da88282f745d8b7aff3ca
SHA51271aa40d91bc1c090ff89b88033cdac0b6ac01d0512fb514e0b1739e074e1758f76f5cdb17a591c318a7f5c219c83f5752ff1c2cbc746be2755d4398105ce461a
-
Filesize
1.1MB
MD5d881de17aa8f2e2c08cbb7b265f928f9
SHA108936aebc87decf0af6e8eada191062b5e65ac2a
SHA256b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0
SHA5125f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34