Analysis
-
max time kernel
150s -
max time network
153s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
28-06-2024 04:49
Behavioral task
behavioral1
Sample
18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe
Resource
win7-20240508-en
Behavioral task
behavioral2
Sample
18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe
-
Size
750KB
-
MD5
18d46ddaa7b3c6afae42058a273789ce
-
SHA1
62da1f56cf1792ffc096e56eba14151a274320cc
-
SHA256
bdd3d2eb31328c3e93623405e820a51b154954ab26008a10072960a99b204e2e
-
SHA512
ffd39b63ef234314db54e5e1b12aed7bedf661d1e66d3e6ea5c21ceef4b7a176b61131f566e5dfba304da8dd3db8852396d7bbe7f8320bbef0150250ca3c1e75
-
SSDEEP
12288:kk0QVlhmPojAPTMEsUTg0oChO/Q2JbsbjPbN5qhRTtYe3f+Iw86k/9/+4:V0QRWoJEfg0oChGdJQbjPbNW5tYeP+GL
Malware Config
Extracted
darkcomet
Guest16
remila.no-ip.biz:1604
DC_MUTEX-20J85XY
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
NoNpEFiHHBFZ
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\Control Panel\International\Geo\Nation 18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 2064 msdcsc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exemsdcsc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" 18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-3169499791-3545231813-3156325206-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Users\\Admin\\Documents\\MSDCSC\\msdcsc.exe" msdcsc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Modifies registry class 1 IoCs
Processes:
18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe -
Runs ping.exe 1 TTPs 1 IoCs
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 4708 18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe Token: SeSecurityPrivilege 4708 18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 4708 18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe Token: SeLoadDriverPrivilege 4708 18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe Token: SeSystemProfilePrivilege 4708 18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe Token: SeSystemtimePrivilege 4708 18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 4708 18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 4708 18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 4708 18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe Token: SeBackupPrivilege 4708 18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe Token: SeRestorePrivilege 4708 18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe Token: SeShutdownPrivilege 4708 18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe Token: SeDebugPrivilege 4708 18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 4708 18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 4708 18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 4708 18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe Token: SeUndockPrivilege 4708 18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe Token: SeManageVolumePrivilege 4708 18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe Token: SeImpersonatePrivilege 4708 18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 4708 18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe Token: 33 4708 18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe Token: 34 4708 18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe Token: 35 4708 18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe Token: 36 4708 18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2064 msdcsc.exe Token: SeSecurityPrivilege 2064 msdcsc.exe Token: SeTakeOwnershipPrivilege 2064 msdcsc.exe Token: SeLoadDriverPrivilege 2064 msdcsc.exe Token: SeSystemProfilePrivilege 2064 msdcsc.exe Token: SeSystemtimePrivilege 2064 msdcsc.exe Token: SeProfSingleProcessPrivilege 2064 msdcsc.exe Token: SeIncBasePriorityPrivilege 2064 msdcsc.exe Token: SeCreatePagefilePrivilege 2064 msdcsc.exe Token: SeBackupPrivilege 2064 msdcsc.exe Token: SeRestorePrivilege 2064 msdcsc.exe Token: SeShutdownPrivilege 2064 msdcsc.exe Token: SeDebugPrivilege 2064 msdcsc.exe Token: SeSystemEnvironmentPrivilege 2064 msdcsc.exe Token: SeChangeNotifyPrivilege 2064 msdcsc.exe Token: SeRemoteShutdownPrivilege 2064 msdcsc.exe Token: SeUndockPrivilege 2064 msdcsc.exe Token: SeManageVolumePrivilege 2064 msdcsc.exe Token: SeImpersonatePrivilege 2064 msdcsc.exe Token: SeCreateGlobalPrivilege 2064 msdcsc.exe Token: 33 2064 msdcsc.exe Token: 34 2064 msdcsc.exe Token: 35 2064 msdcsc.exe Token: 36 2064 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 2064 msdcsc.exe -
Suspicious use of WriteProcessMemory 14 IoCs
Processes:
18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.execmd.exemsdcsc.exedescription pid process target process PID 4708 wrote to memory of 2764 4708 18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe cmd.exe PID 4708 wrote to memory of 2764 4708 18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe cmd.exe PID 4708 wrote to memory of 2764 4708 18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe cmd.exe PID 2764 wrote to memory of 3664 2764 cmd.exe PING.EXE PID 2764 wrote to memory of 3664 2764 cmd.exe PING.EXE PID 2764 wrote to memory of 3664 2764 cmd.exe PING.EXE PID 4708 wrote to memory of 2064 4708 18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe msdcsc.exe PID 4708 wrote to memory of 2064 4708 18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe msdcsc.exe PID 4708 wrote to memory of 2064 4708 18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe msdcsc.exe PID 2064 wrote to memory of 4092 2064 msdcsc.exe iexplore.exe PID 2064 wrote to memory of 4092 2064 msdcsc.exe iexplore.exe PID 2064 wrote to memory of 4092 2064 msdcsc.exe iexplore.exe PID 2064 wrote to memory of 1140 2064 msdcsc.exe explorer.exe PID 2064 wrote to memory of 1140 2064 msdcsc.exe explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k ping 127.0.0.1 -n 4 && del "C:\Users\Admin\AppData\Local\Temp\18d46ddaa7b3c6afae42058a273789ce_JaffaCakes118.exe"2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\PING.EXEping 127.0.0.1 -n 43⤵
- Runs ping.exe
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"C:\Users\Admin\Documents\MSDCSC\msdcsc.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\Documents\MSDCSC\msdcsc.exeFilesize
750KB
MD518d46ddaa7b3c6afae42058a273789ce
SHA162da1f56cf1792ffc096e56eba14151a274320cc
SHA256bdd3d2eb31328c3e93623405e820a51b154954ab26008a10072960a99b204e2e
SHA512ffd39b63ef234314db54e5e1b12aed7bedf661d1e66d3e6ea5c21ceef4b7a176b61131f566e5dfba304da8dd3db8852396d7bbe7f8320bbef0150250ca3c1e75
-
memory/2064-67-0x0000000000400000-0x00000000004C9000-memory.dmpFilesize
804KB
-
memory/2064-62-0x00000000022C0000-0x00000000022C1000-memory.dmpFilesize
4KB
-
memory/2064-69-0x0000000000400000-0x00000000004C9000-memory.dmpFilesize
804KB
-
memory/2064-70-0x0000000000400000-0x00000000004C9000-memory.dmpFilesize
804KB
-
memory/2064-64-0x0000000000400000-0x00000000004C9000-memory.dmpFilesize
804KB
-
memory/2064-65-0x00000000022C0000-0x00000000022C1000-memory.dmpFilesize
4KB
-
memory/2064-66-0x0000000000400000-0x00000000004C9000-memory.dmpFilesize
804KB
-
memory/2064-68-0x0000000000400000-0x00000000004C9000-memory.dmpFilesize
804KB
-
memory/2064-77-0x0000000000400000-0x00000000004C9000-memory.dmpFilesize
804KB
-
memory/2064-76-0x0000000000400000-0x00000000004C9000-memory.dmpFilesize
804KB
-
memory/2064-63-0x0000000000400000-0x00000000004C9000-memory.dmpFilesize
804KB
-
memory/2064-71-0x0000000000400000-0x00000000004C9000-memory.dmpFilesize
804KB
-
memory/2064-72-0x0000000000400000-0x00000000004C9000-memory.dmpFilesize
804KB
-
memory/2064-73-0x0000000000400000-0x00000000004C9000-memory.dmpFilesize
804KB
-
memory/2064-74-0x0000000000400000-0x00000000004C9000-memory.dmpFilesize
804KB
-
memory/2064-75-0x0000000000400000-0x00000000004C9000-memory.dmpFilesize
804KB
-
memory/4708-60-0x0000000000400000-0x00000000004C9000-memory.dmpFilesize
804KB
-
memory/4708-0-0x0000000002150000-0x0000000002151000-memory.dmpFilesize
4KB