Analysis
-
max time kernel
122s -
max time network
127s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
28-06-2024 00:59
Static task
static1
Behavioral task
behavioral1
Sample
1834f6834978a185df442ff1c6efec71_JaffaCakes118.exe
Resource
win7-20240611-en
General
-
Target
1834f6834978a185df442ff1c6efec71_JaffaCakes118.exe
-
Size
1011KB
-
MD5
1834f6834978a185df442ff1c6efec71
-
SHA1
3b55fae8eee6dfb172f1d8658e33a860ea1fd1c2
-
SHA256
2969034b1ff9c108275be7ea6ac98161574f4c5af2ff44056792ab394a5771c1
-
SHA512
c5abdcd310e92c6b4687ffb556fba68a34d25eb0f044790b30183376f7fecaa64968a38c12e69a9e893c70c45d82aec73f72dcdb84b08e41e052a2f9864f635f
-
SSDEEP
24576:jvOTggIRfmQX3zRYC6FVZPv+FWe4Ys/E:zjYlDZ3+UT/E
Malware Config
Extracted
darkcomet
rumah
192.168.1.3:10000
DC_MUTEX-10Q9ZPU
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
oFKnv1gNw9GF
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" svchost.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 2580 attrib.exe 2920 attrib.exe -
Executes dropped EXE 2 IoCs
Processes:
svchost.exemsdcsc.exepid process 2996 svchost.exe 2500 msdcsc.exe -
Loads dropped DLL 2 IoCs
Processes:
1834f6834978a185df442ff1c6efec71_JaffaCakes118.exesvchost.exepid process 1720 1834f6834978a185df442ff1c6efec71_JaffaCakes118.exe 2996 svchost.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
svchost.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-39690363-730359138-1046745555-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" svchost.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
1834f6834978a185df442ff1c6efec71_JaffaCakes118.exedescription pid process target process PID 1720 set thread context of 2996 1720 1834f6834978a185df442ff1c6efec71_JaffaCakes118.exe svchost.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
svchost.exedescription pid process Token: SeIncreaseQuotaPrivilege 2996 svchost.exe Token: SeSecurityPrivilege 2996 svchost.exe Token: SeTakeOwnershipPrivilege 2996 svchost.exe Token: SeLoadDriverPrivilege 2996 svchost.exe Token: SeSystemProfilePrivilege 2996 svchost.exe Token: SeSystemtimePrivilege 2996 svchost.exe Token: SeProfSingleProcessPrivilege 2996 svchost.exe Token: SeIncBasePriorityPrivilege 2996 svchost.exe Token: SeCreatePagefilePrivilege 2996 svchost.exe Token: SeBackupPrivilege 2996 svchost.exe Token: SeRestorePrivilege 2996 svchost.exe Token: SeShutdownPrivilege 2996 svchost.exe Token: SeDebugPrivilege 2996 svchost.exe Token: SeSystemEnvironmentPrivilege 2996 svchost.exe Token: SeChangeNotifyPrivilege 2996 svchost.exe Token: SeRemoteShutdownPrivilege 2996 svchost.exe Token: SeUndockPrivilege 2996 svchost.exe Token: SeManageVolumePrivilege 2996 svchost.exe Token: SeImpersonatePrivilege 2996 svchost.exe Token: SeCreateGlobalPrivilege 2996 svchost.exe Token: 33 2996 svchost.exe Token: 34 2996 svchost.exe Token: 35 2996 svchost.exe -
Suspicious use of WriteProcessMemory 33 IoCs
Processes:
1834f6834978a185df442ff1c6efec71_JaffaCakes118.exesvchost.execmd.execmd.exedescription pid process target process PID 1720 wrote to memory of 2996 1720 1834f6834978a185df442ff1c6efec71_JaffaCakes118.exe svchost.exe PID 1720 wrote to memory of 2996 1720 1834f6834978a185df442ff1c6efec71_JaffaCakes118.exe svchost.exe PID 1720 wrote to memory of 2996 1720 1834f6834978a185df442ff1c6efec71_JaffaCakes118.exe svchost.exe PID 1720 wrote to memory of 2996 1720 1834f6834978a185df442ff1c6efec71_JaffaCakes118.exe svchost.exe PID 1720 wrote to memory of 2996 1720 1834f6834978a185df442ff1c6efec71_JaffaCakes118.exe svchost.exe PID 1720 wrote to memory of 2996 1720 1834f6834978a185df442ff1c6efec71_JaffaCakes118.exe svchost.exe PID 1720 wrote to memory of 2996 1720 1834f6834978a185df442ff1c6efec71_JaffaCakes118.exe svchost.exe PID 1720 wrote to memory of 2996 1720 1834f6834978a185df442ff1c6efec71_JaffaCakes118.exe svchost.exe PID 1720 wrote to memory of 2996 1720 1834f6834978a185df442ff1c6efec71_JaffaCakes118.exe svchost.exe PID 1720 wrote to memory of 2996 1720 1834f6834978a185df442ff1c6efec71_JaffaCakes118.exe svchost.exe PID 1720 wrote to memory of 2996 1720 1834f6834978a185df442ff1c6efec71_JaffaCakes118.exe svchost.exe PID 1720 wrote to memory of 2996 1720 1834f6834978a185df442ff1c6efec71_JaffaCakes118.exe svchost.exe PID 1720 wrote to memory of 2996 1720 1834f6834978a185df442ff1c6efec71_JaffaCakes118.exe svchost.exe PID 2996 wrote to memory of 2592 2996 svchost.exe cmd.exe PID 2996 wrote to memory of 2592 2996 svchost.exe cmd.exe PID 2996 wrote to memory of 2592 2996 svchost.exe cmd.exe PID 2996 wrote to memory of 2592 2996 svchost.exe cmd.exe PID 2996 wrote to memory of 2924 2996 svchost.exe cmd.exe PID 2996 wrote to memory of 2924 2996 svchost.exe cmd.exe PID 2996 wrote to memory of 2924 2996 svchost.exe cmd.exe PID 2996 wrote to memory of 2924 2996 svchost.exe cmd.exe PID 2592 wrote to memory of 2920 2592 cmd.exe attrib.exe PID 2592 wrote to memory of 2920 2592 cmd.exe attrib.exe PID 2592 wrote to memory of 2920 2592 cmd.exe attrib.exe PID 2592 wrote to memory of 2920 2592 cmd.exe attrib.exe PID 2924 wrote to memory of 2580 2924 cmd.exe attrib.exe PID 2924 wrote to memory of 2580 2924 cmd.exe attrib.exe PID 2924 wrote to memory of 2580 2924 cmd.exe attrib.exe PID 2924 wrote to memory of 2580 2924 cmd.exe attrib.exe PID 2996 wrote to memory of 2500 2996 svchost.exe msdcsc.exe PID 2996 wrote to memory of 2500 2996 svchost.exe msdcsc.exe PID 2996 wrote to memory of 2500 2996 svchost.exe msdcsc.exe PID 2996 wrote to memory of 2500 2996 svchost.exe msdcsc.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 2580 attrib.exe 2920 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1834f6834978a185df442ff1c6efec71_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1834f6834978a185df442ff1c6efec71_JaffaCakes118.exe"1⤵
- Loads dropped DLL
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeC:\Users\Admin\AppData\Local\Temp\svchost.exe2⤵
- Modifies WinLogon for persistence
- Executes dropped EXE
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\svchost.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\svchost.exe" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"3⤵
- Executes dropped EXE
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\svchost.exeFilesize
1.1MB
MD534aa912defa18c2c129f1e09d75c1d7e
SHA19c3046324657505a30ecd9b1fdb46c05bde7d470
SHA2566df94b7fa33f1b87142adc39b3db0613fc520d9e7a5fd6a5301dd7f51f8d0386
SHA512d1ea9368f5d7166180612fd763c87afb647d088498887961f5e7fb0a10f4a808bd5928e8a3666d70ff794093c51ecca8816f75dd47652fd4eb23dce7f9aa1f98
-
memory/1720-23-0x0000000074620000-0x0000000074BCB000-memory.dmpFilesize
5.7MB
-
memory/1720-1-0x0000000074620000-0x0000000074BCB000-memory.dmpFilesize
5.7MB
-
memory/1720-2-0x0000000074620000-0x0000000074BCB000-memory.dmpFilesize
5.7MB
-
memory/1720-0-0x0000000074621000-0x0000000074622000-memory.dmpFilesize
4KB
-
memory/2996-21-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2996-9-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2996-22-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2996-7-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2996-19-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2996-17-0x000000007EFDE000-0x000000007EFDF000-memory.dmpFilesize
4KB
-
memory/2996-11-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2996-24-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2996-16-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2996-15-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2996-14-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2996-13-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2996-12-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB
-
memory/2996-35-0x0000000000400000-0x00000000004B2000-memory.dmpFilesize
712KB