Analysis
-
max time kernel
150s -
max time network
125s -
platform
windows7_x64 -
resource
win7-20241010-en -
resource tags
arch:x64arch:x86image:win7-20241010-enlocale:en-usos:windows7-x64system -
submitted
29/03/2025, 20:01
Behavioral task
behavioral1
Sample
JaffaCakes118_96c58abcedcb7648aa4db3c736d69fe7.exe
Resource
win7-20241010-en
windows7-x64
17 signatures
150 seconds
General
-
Target
JaffaCakes118_96c58abcedcb7648aa4db3c736d69fe7.exe
-
Size
658KB
-
MD5
96c58abcedcb7648aa4db3c736d69fe7
-
SHA1
39ebcc3bc26ad3c0f6dae3bad07d4b67bd7ca0dc
-
SHA256
4f9d477fefef5d8e8915650f97b696760659e2934f9653b955231fae81be7bbb
-
SHA512
07b1990e7bdb795487dfd56a9d5292d90bedee054ebbdbb64a093e91740ca0b8b7e81589bf3972db4343573786ec8a2df6c6aad1962ac6c8dd66a50841c49461
-
SSDEEP
12288:S9HFJ9rJxRX1uVVjoaWSoynxdO1FVBaOiRZTERfIhNkNCCLd9Ek5C/hP:+Z1xuVVjfFoynPaVBUR8f+kN1PEBh
Malware Config
Extracted
Family
darkcomet
Botnet
Guest16
C2
127.0.0.1:1604
Mutex
DC_MUTEX-YXXHLUR
Attributes
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
0d9w9uDzvpEN
-
install
true
-
offline_keylogger
false
-
persistence
false
-
reg_key
MicroUpdate
rc4.plain
Signatures
-
Darkcomet family
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" JaffaCakes118_96c58abcedcb7648aa4db3c736d69fe7.exe -
Boot or Logon Autostart Execution: Active Setup 2 TTPs 1 IoCs
Adversaries may achieve persistence by adding a Registry key to the Active Setup of the local machine.
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Active Setup\Installed Components explorer.exe -
Executes dropped EXE 1 IoCs
pid Process 2784 msdcsc.exe -
Loads dropped DLL 2 IoCs
pid Process 2772 JaffaCakes118_96c58abcedcb7648aa4db3c736d69fe7.exe 2772 JaffaCakes118_96c58abcedcb7648aa4db3c736d69fe7.exe -
Adds Run key to start application 2 TTPs 1 IoCs
description ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" JaffaCakes118_96c58abcedcb7648aa4db3c736d69fe7.exe -
Suspicious use of SetThreadContext 1 IoCs
description pid Process procid_target PID 2784 set thread context of 2808 2784 msdcsc.exe 31 -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
System Location Discovery: System Language Discovery 1 TTPs 3 IoCs
Attempt gather information about the system language of a victim in order to infer the geographical location of that host.
description ioc Process Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language JaffaCakes118_96c58abcedcb7648aa4db3c736d69fe7.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language msdcsc.exe Key opened \REGISTRY\MACHINE\SYSTEM\ControlSet001\Control\NLS\Language iexplore.exe -
Modifies registry class 5 IoCs
description ioc Process Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_Classes\Local Settings explorer.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell explorer.exe Key created \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\NodeSlots explorer.exe Set value (data) \REGISTRY\USER\S-1-5-21-3692679935-4019334568-335155002-1000_CLASSES\Local Settings\Software\Microsoft\Windows\Shell\BagMRU\MRUListEx = ffffffff explorer.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
pid Process 2868 explorer.exe -
Suspicious use of AdjustPrivilegeToken 64 IoCs
description pid Process Token: SeIncreaseQuotaPrivilege 2772 JaffaCakes118_96c58abcedcb7648aa4db3c736d69fe7.exe Token: SeSecurityPrivilege 2772 JaffaCakes118_96c58abcedcb7648aa4db3c736d69fe7.exe Token: SeTakeOwnershipPrivilege 2772 JaffaCakes118_96c58abcedcb7648aa4db3c736d69fe7.exe Token: SeLoadDriverPrivilege 2772 JaffaCakes118_96c58abcedcb7648aa4db3c736d69fe7.exe Token: SeSystemProfilePrivilege 2772 JaffaCakes118_96c58abcedcb7648aa4db3c736d69fe7.exe Token: SeSystemtimePrivilege 2772 JaffaCakes118_96c58abcedcb7648aa4db3c736d69fe7.exe Token: SeProfSingleProcessPrivilege 2772 JaffaCakes118_96c58abcedcb7648aa4db3c736d69fe7.exe Token: SeIncBasePriorityPrivilege 2772 JaffaCakes118_96c58abcedcb7648aa4db3c736d69fe7.exe Token: SeCreatePagefilePrivilege 2772 JaffaCakes118_96c58abcedcb7648aa4db3c736d69fe7.exe Token: SeBackupPrivilege 2772 JaffaCakes118_96c58abcedcb7648aa4db3c736d69fe7.exe Token: SeRestorePrivilege 2772 JaffaCakes118_96c58abcedcb7648aa4db3c736d69fe7.exe Token: SeShutdownPrivilege 2772 JaffaCakes118_96c58abcedcb7648aa4db3c736d69fe7.exe Token: SeDebugPrivilege 2772 JaffaCakes118_96c58abcedcb7648aa4db3c736d69fe7.exe Token: SeSystemEnvironmentPrivilege 2772 JaffaCakes118_96c58abcedcb7648aa4db3c736d69fe7.exe Token: SeChangeNotifyPrivilege 2772 JaffaCakes118_96c58abcedcb7648aa4db3c736d69fe7.exe Token: SeRemoteShutdownPrivilege 2772 JaffaCakes118_96c58abcedcb7648aa4db3c736d69fe7.exe Token: SeUndockPrivilege 2772 JaffaCakes118_96c58abcedcb7648aa4db3c736d69fe7.exe Token: SeManageVolumePrivilege 2772 JaffaCakes118_96c58abcedcb7648aa4db3c736d69fe7.exe Token: SeImpersonatePrivilege 2772 JaffaCakes118_96c58abcedcb7648aa4db3c736d69fe7.exe Token: SeCreateGlobalPrivilege 2772 JaffaCakes118_96c58abcedcb7648aa4db3c736d69fe7.exe Token: 33 2772 JaffaCakes118_96c58abcedcb7648aa4db3c736d69fe7.exe Token: 34 2772 JaffaCakes118_96c58abcedcb7648aa4db3c736d69fe7.exe Token: 35 2772 JaffaCakes118_96c58abcedcb7648aa4db3c736d69fe7.exe Token: SeIncreaseQuotaPrivilege 2784 msdcsc.exe Token: SeSecurityPrivilege 2784 msdcsc.exe Token: SeTakeOwnershipPrivilege 2784 msdcsc.exe Token: SeLoadDriverPrivilege 2784 msdcsc.exe Token: SeSystemProfilePrivilege 2784 msdcsc.exe Token: SeSystemtimePrivilege 2784 msdcsc.exe Token: SeProfSingleProcessPrivilege 2784 msdcsc.exe Token: SeIncBasePriorityPrivilege 2784 msdcsc.exe Token: SeCreatePagefilePrivilege 2784 msdcsc.exe Token: SeBackupPrivilege 2784 msdcsc.exe Token: SeRestorePrivilege 2784 msdcsc.exe Token: SeShutdownPrivilege 2784 msdcsc.exe Token: SeDebugPrivilege 2784 msdcsc.exe Token: SeSystemEnvironmentPrivilege 2784 msdcsc.exe Token: SeChangeNotifyPrivilege 2784 msdcsc.exe Token: SeRemoteShutdownPrivilege 2784 msdcsc.exe Token: SeUndockPrivilege 2784 msdcsc.exe Token: SeManageVolumePrivilege 2784 msdcsc.exe Token: SeImpersonatePrivilege 2784 msdcsc.exe Token: SeCreateGlobalPrivilege 2784 msdcsc.exe Token: 33 2784 msdcsc.exe Token: 34 2784 msdcsc.exe Token: 35 2784 msdcsc.exe Token: SeIncreaseQuotaPrivilege 2808 iexplore.exe Token: SeSecurityPrivilege 2808 iexplore.exe Token: SeTakeOwnershipPrivilege 2808 iexplore.exe Token: SeLoadDriverPrivilege 2808 iexplore.exe Token: SeSystemProfilePrivilege 2808 iexplore.exe Token: SeSystemtimePrivilege 2808 iexplore.exe Token: SeProfSingleProcessPrivilege 2808 iexplore.exe Token: SeIncBasePriorityPrivilege 2808 iexplore.exe Token: SeCreatePagefilePrivilege 2808 iexplore.exe Token: SeBackupPrivilege 2808 iexplore.exe Token: SeRestorePrivilege 2808 iexplore.exe Token: SeShutdownPrivilege 2808 iexplore.exe Token: SeDebugPrivilege 2808 iexplore.exe Token: SeSystemEnvironmentPrivilege 2808 iexplore.exe Token: SeChangeNotifyPrivilege 2808 iexplore.exe Token: SeRemoteShutdownPrivilege 2808 iexplore.exe Token: SeUndockPrivilege 2808 iexplore.exe Token: SeManageVolumePrivilege 2808 iexplore.exe -
Suspicious use of FindShellTrayWindow 29 IoCs
pid Process 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe -
Suspicious use of SendNotifyMessage 18 IoCs
pid Process 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe 2868 explorer.exe -
Suspicious use of WriteProcessMemory 10 IoCs
description pid Process procid_target PID 2772 wrote to memory of 2784 2772 JaffaCakes118_96c58abcedcb7648aa4db3c736d69fe7.exe 30 PID 2772 wrote to memory of 2784 2772 JaffaCakes118_96c58abcedcb7648aa4db3c736d69fe7.exe 30 PID 2772 wrote to memory of 2784 2772 JaffaCakes118_96c58abcedcb7648aa4db3c736d69fe7.exe 30 PID 2772 wrote to memory of 2784 2772 JaffaCakes118_96c58abcedcb7648aa4db3c736d69fe7.exe 30 PID 2784 wrote to memory of 2808 2784 msdcsc.exe 31 PID 2784 wrote to memory of 2808 2784 msdcsc.exe 31 PID 2784 wrote to memory of 2808 2784 msdcsc.exe 31 PID 2784 wrote to memory of 2808 2784 msdcsc.exe 31 PID 2784 wrote to memory of 2808 2784 msdcsc.exe 31 PID 2784 wrote to memory of 2808 2784 msdcsc.exe 31 -
Uses Task Scheduler COM API 1 TTPs
The Task Scheduler COM API can be used to schedule applications to run on boot or at set times.
Processes
-
C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_96c58abcedcb7648aa4db3c736d69fe7.exe"C:\Users\Admin\AppData\Local\Temp\JaffaCakes118_96c58abcedcb7648aa4db3c736d69fe7.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2772 -
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2784 -
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- System Location Discovery: System Language Discovery
- Suspicious use of AdjustPrivilegeToken
PID:2808
-
-
-
C:\Windows\explorer.exeexplorer.exe1⤵
- Boot or Logon Autostart Execution: Active Setup
- Modifies registry class
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of FindShellTrayWindow
- Suspicious use of SendNotifyMessage
PID:2868
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
3Active Setup
1Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
658KB
MD596c58abcedcb7648aa4db3c736d69fe7
SHA139ebcc3bc26ad3c0f6dae3bad07d4b67bd7ca0dc
SHA2564f9d477fefef5d8e8915650f97b696760659e2934f9653b955231fae81be7bbb
SHA51207b1990e7bdb795487dfd56a9d5292d90bedee054ebbdbb64a093e91740ca0b8b7e81589bf3972db4343573786ec8a2df6c6aad1962ac6c8dd66a50841c49461