Analysis
-
max time kernel
150s -
max time network
123s -
platform
windows7_x64 -
resource
win7-20240508-en -
resource tags
arch:x64arch:x86image:win7-20240508-enlocale:en-usos:windows7-x64system -
submitted
28-06-2024 04:49
Behavioral task
behavioral1
Sample
18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe
-
Size
750KB
-
MD5
18d46ddaa7b3c6afae42058a273789ce
-
SHA1
62da1f56cf1792ffc096e56eba14151a274320cc
-
SHA256
bdd3d2eb31328c3e93623405e820a51b154954ab26008a10072960a99b204e2e
-
SHA512
ffd39b63ef234314db54e5e1b12aed7bedf661d1e66d3e6ea5c21ceef4b7a176b61131f566e5dfba304da8dd3db8852396d7bbe7f8320bbef0150250ca3c1e75
-
SSDEEP
12288:kk0QVlhmPojAPTMEsUTg0oChO/Q2JbsbjPbN5qhRTtYe3f+Iw86k/9/+4:V0QRWoJEfg0oChGdJQbjPbNW5tYeP+GL
Malware Config
Extracted
darkcomet
Guest16
remila.no-ip.biz:1604
DC_MUTEX-20J85XY
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
NoNpEFiHHBFZ
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe -
Deletes itself 1 IoCs
Processes:
cmd.exepid process 1836 cmd.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 2188 msdcsc.exe -
Loads dropped DLL 2 IoCs
Processes:
18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exepid process 2184 18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe 2184 18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 3 IoCs
Processes:
18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exemsdcsc.exeiexplore.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" msdcsc.exe Set value (str) \REGISTRY\USER\S-1-5-21-268080393-3149932598-1824759070-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" iexplore.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
msdcsc.exedescription pid process target process PID 2188 set thread context of 2732 2188 msdcsc.exe iexplore.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exemsdcsc.exeiexplore.exedescription pid process Token: SeIncreaseQuotaPrivilege 2184 18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe Token: SeSecurityPrivilege 2184 18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 2184 18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe Token: SeLoadDriverPrivilege 2184 18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe Token: SeSystemProfilePrivilege 2184 18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe Token: SeSystemtimePrivilege 2184 18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 2184 18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2184 18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 2184 18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe Token: SeBackupPrivilege 2184 18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe Token: SeRestorePrivilege 2184 18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe Token: SeShutdownPrivilege 2184 18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe Token: SeDebugPrivilege 2184 18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 2184 18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 2184 18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 2184 18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe Token: SeUndockPrivilege 2184 18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe Token: SeManageVolumePrivilege 2184 18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe Token: SeImpersonatePrivilege 2184 18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 2184 18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe Token: 33 2184 18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe Token: 34 2184 18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe Token: 35 2184 18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2188 msdcsc.exe Token: SeSecurityPrivilege 2188 msdcsc.exe Token: SeTakeOwnershipPrivilege 2188 msdcsc.exe Token: SeLoadDriverPrivilege 2188 msdcsc.exe Token: SeSystemProfilePrivilege 2188 msdcsc.exe Token: SeSystemtimePrivilege 2188 msdcsc.exe Token: SeProfSingleProcessPrivilege 2188 msdcsc.exe Token: SeIncBasePriorityPrivilege 2188 msdcsc.exe Token: SeCreatePagefilePrivilege 2188 msdcsc.exe Token: SeBackupPrivilege 2188 msdcsc.exe Token: SeRestorePrivilege 2188 msdcsc.exe Token: SeShutdownPrivilege 2188 msdcsc.exe Token: SeDebugPrivilege 2188 msdcsc.exe Token: SeSystemEnvironmentPrivilege 2188 msdcsc.exe Token: SeChangeNotifyPrivilege 2188 msdcsc.exe Token: SeRemoteShutdownPrivilege 2188 msdcsc.exe Token: SeUndockPrivilege 2188 msdcsc.exe Token: SeManageVolumePrivilege 2188 msdcsc.exe Token: SeImpersonatePrivilege 2188 msdcsc.exe Token: SeCreateGlobalPrivilege 2188 msdcsc.exe Token: 33 2188 msdcsc.exe Token: 34 2188 msdcsc.exe Token: 35 2188 msdcsc.exe Token: SeIncreaseQuotaPrivilege 2732 iexplore.exe Token: SeSecurityPrivilege 2732 iexplore.exe Token: SeTakeOwnershipPrivilege 2732 iexplore.exe Token: SeLoadDriverPrivilege 2732 iexplore.exe Token: SeSystemProfilePrivilege 2732 iexplore.exe Token: SeSystemtimePrivilege 2732 iexplore.exe Token: SeProfSingleProcessPrivilege 2732 iexplore.exe Token: SeIncBasePriorityPrivilege 2732 iexplore.exe Token: SeCreatePagefilePrivilege 2732 iexplore.exe Token: SeBackupPrivilege 2732 iexplore.exe Token: SeRestorePrivilege 2732 iexplore.exe Token: SeShutdownPrivilege 2732 iexplore.exe Token: SeDebugPrivilege 2732 iexplore.exe Token: SeSystemEnvironmentPrivilege 2732 iexplore.exe Token: SeChangeNotifyPrivilege 2732 iexplore.exe Token: SeRemoteShutdownPrivilege 2732 iexplore.exe Token: SeUndockPrivilege 2732 iexplore.exe Token: SeManageVolumePrivilege 2732 iexplore.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
iexplore.exepid process 2732 iexplore.exe -
Suspicious use of WriteProcessMemory 18 IoCs
Processes:
18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.execmd.exemsdcsc.exedescription pid process target process PID 2184 wrote to memory of 1836 2184 18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe cmd.exe PID 2184 wrote to memory of 1836 2184 18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe cmd.exe PID 2184 wrote to memory of 1836 2184 18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe cmd.exe PID 2184 wrote to memory of 1836 2184 18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe cmd.exe PID 1836 wrote to memory of 2700 1836 cmd.exe PING.EXE PID 1836 wrote to memory of 2700 1836 cmd.exe PING.EXE PID 1836 wrote to memory of 2700 1836 cmd.exe PING.EXE PID 1836 wrote to memory of 2700 1836 cmd.exe PING.EXE PID 2184 wrote to memory of 2188 2184 18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe msdcsc.exe PID 2184 wrote to memory of 2188 2184 18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe msdcsc.exe PID 2184 wrote to memory of 2188 2184 18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe msdcsc.exe PID 2184 wrote to memory of 2188 2184 18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe msdcsc.exe PID 2188 wrote to memory of 2732 2188 msdcsc.exe iexplore.exe PID 2188 wrote to memory of 2732 2188 msdcsc.exe iexplore.exe PID 2188 wrote to memory of 2732 2188 msdcsc.exe iexplore.exe PID 2188 wrote to memory of 2732 2188 msdcsc.exe iexplore.exe PID 2188 wrote to memory of 2732 2188 msdcsc.exe iexplore.exe PID 2188 wrote to memory of 2732 2188 msdcsc.exe iexplore.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Local\Temp\18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe"2⤵
- Deletes itself
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 43⤵
- Runs ping.exe
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
750KB
MD518d46ddaa7b3c6afae42058a273789ce
SHA162da1f56cf1792ffc096e56eba14151a274320cc
SHA256bdd3d2eb31328c3e93623405e820a51b154954ab26008a10072960a99b204e2e
SHA512ffd39b63ef234314db54e5e1b12aed7bedf661d1e66d3e6ea5c21ceef4b7a176b61131f566e5dfba304da8dd3db8852396d7bbe7f8320bbef0150250ca3c1e75
-
memory/2184-0-0x0000000000260000-0x0000000000261000-memory.dmpFilesize
4KB
-
memory/2184-11-0x0000000000400000-0x00000000004C9000-memory.dmpFilesize
804KB
-
memory/2188-14-0x0000000000400000-0x00000000004C9000-memory.dmpFilesize
804KB
-
memory/2732-13-0x0000000000400000-0x00000000004C9000-memory.dmpFilesize
804KB