Analysis
-
max time kernel
150s -
max time network
144s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
01-07-2024 19:12
Behavioral task
behavioral1
Sample
1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe
Resource
win7-20240419-en
General
-
Target
1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe
-
Size
758KB
-
MD5
1c2d1c88e9597535bc77f312f3eed94b
-
SHA1
5313e64a644abf63c7a653ef3383d2cba4bb2470
-
SHA256
151a6374669a557f4b91682dff916e16088173c995f4cbf239b6d8828886ec89
-
SHA512
b435a3f06d218ce817783c5e3783e210bdc3860d7e330b4953a1b7b2a08e0c925b8937f52d6c6947c32613aceec1bc31897289a4c2bea81e2b12e563a8195ab4
-
SSDEEP
12288:8X2JVHMRtDaSm3TJvVNvWV5YTsY7tHwbz/htfcoCoK632zb7G/QoFCk:qss2Sm39NNv9wY7tHwbzfIoK6Mook
Malware Config
Extracted
darkcomet
nsm
dark.dnsd.info:1604
DC_MUTEX-BBCMREG
-
InstallPath
MSDCSC\lsassc.exe
-
gencode
rArbm2GK8iZn
-
install
true
-
offline_keylogger
false
-
persistence
true
-
reg_key
lsass.exe
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\lsassc.exe" 1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 4868 attrib.exe 2756 attrib.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\Control Panel\International\Geo\Nation 1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
Processes:
lsassc.exepid process 4520 lsassc.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exelsassc.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass.exe = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\lsassc.exe" 1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe Set value (str) \REGISTRY\USER\S-1-5-21-2447855248-390457009-3660902674-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\lsass.exe = "C:\\ProgramData\\Microsoft\\Windows\\Start Menu\\MSDCSC\\lsassc.exe" lsassc.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Program crash 1 IoCs
Processes:
WerFault.exepid pid_target process target process 828 1516 WerFault.exe notepad.exe -
Modifies registry class 1 IoCs
Processes:
1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Classes\WOW6432Node\CLSID\{1f3427c8-5c10-4210-aa03-2ee45287d668}\Instance\ 1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe -
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
lsassc.exepid process 4520 lsassc.exe -
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exelsassc.exedescription pid process Token: SeIncreaseQuotaPrivilege 3004 1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe Token: SeSecurityPrivilege 3004 1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 3004 1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe Token: SeLoadDriverPrivilege 3004 1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe Token: SeSystemProfilePrivilege 3004 1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe Token: SeSystemtimePrivilege 3004 1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 3004 1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 3004 1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 3004 1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe Token: SeBackupPrivilege 3004 1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe Token: SeRestorePrivilege 3004 1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe Token: SeShutdownPrivilege 3004 1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe Token: SeDebugPrivilege 3004 1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 3004 1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 3004 1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 3004 1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe Token: SeUndockPrivilege 3004 1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe Token: SeManageVolumePrivilege 3004 1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe Token: SeImpersonatePrivilege 3004 1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 3004 1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe Token: 33 3004 1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe Token: 34 3004 1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe Token: 35 3004 1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe Token: 36 3004 1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 4520 lsassc.exe Token: SeSecurityPrivilege 4520 lsassc.exe Token: SeTakeOwnershipPrivilege 4520 lsassc.exe Token: SeLoadDriverPrivilege 4520 lsassc.exe Token: SeSystemProfilePrivilege 4520 lsassc.exe Token: SeSystemtimePrivilege 4520 lsassc.exe Token: SeProfSingleProcessPrivilege 4520 lsassc.exe Token: SeIncBasePriorityPrivilege 4520 lsassc.exe Token: SeCreatePagefilePrivilege 4520 lsassc.exe Token: SeBackupPrivilege 4520 lsassc.exe Token: SeRestorePrivilege 4520 lsassc.exe Token: SeShutdownPrivilege 4520 lsassc.exe Token: SeDebugPrivilege 4520 lsassc.exe Token: SeSystemEnvironmentPrivilege 4520 lsassc.exe Token: SeChangeNotifyPrivilege 4520 lsassc.exe Token: SeRemoteShutdownPrivilege 4520 lsassc.exe Token: SeUndockPrivilege 4520 lsassc.exe Token: SeManageVolumePrivilege 4520 lsassc.exe Token: SeImpersonatePrivilege 4520 lsassc.exe Token: SeCreateGlobalPrivilege 4520 lsassc.exe Token: 33 4520 lsassc.exe Token: 34 4520 lsassc.exe Token: 35 4520 lsassc.exe Token: 36 4520 lsassc.exe -
Suspicious use of WriteProcessMemory 54 IoCs
Processes:
1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.execmd.execmd.exelsassc.exedescription pid process target process PID 3004 wrote to memory of 5016 3004 1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe cmd.exe PID 3004 wrote to memory of 5016 3004 1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe cmd.exe PID 3004 wrote to memory of 5016 3004 1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe cmd.exe PID 3004 wrote to memory of 4140 3004 1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe cmd.exe PID 3004 wrote to memory of 4140 3004 1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe cmd.exe PID 3004 wrote to memory of 4140 3004 1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe cmd.exe PID 3004 wrote to memory of 1516 3004 1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe notepad.exe PID 3004 wrote to memory of 1516 3004 1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe notepad.exe PID 3004 wrote to memory of 1516 3004 1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe notepad.exe PID 3004 wrote to memory of 1516 3004 1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe notepad.exe PID 3004 wrote to memory of 1516 3004 1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe notepad.exe PID 3004 wrote to memory of 1516 3004 1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe notepad.exe PID 3004 wrote to memory of 1516 3004 1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe notepad.exe PID 3004 wrote to memory of 1516 3004 1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe notepad.exe PID 3004 wrote to memory of 1516 3004 1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe notepad.exe PID 3004 wrote to memory of 1516 3004 1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe notepad.exe PID 3004 wrote to memory of 1516 3004 1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe notepad.exe PID 3004 wrote to memory of 1516 3004 1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe notepad.exe PID 3004 wrote to memory of 1516 3004 1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe notepad.exe PID 3004 wrote to memory of 1516 3004 1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe notepad.exe PID 3004 wrote to memory of 1516 3004 1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe notepad.exe PID 3004 wrote to memory of 1516 3004 1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe notepad.exe PID 3004 wrote to memory of 1516 3004 1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe notepad.exe PID 4140 wrote to memory of 4868 4140 cmd.exe attrib.exe PID 4140 wrote to memory of 4868 4140 cmd.exe attrib.exe PID 4140 wrote to memory of 4868 4140 cmd.exe attrib.exe PID 5016 wrote to memory of 2756 5016 cmd.exe attrib.exe PID 5016 wrote to memory of 2756 5016 cmd.exe attrib.exe PID 5016 wrote to memory of 2756 5016 cmd.exe attrib.exe PID 3004 wrote to memory of 4520 3004 1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe lsassc.exe PID 3004 wrote to memory of 4520 3004 1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe lsassc.exe PID 3004 wrote to memory of 4520 3004 1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe lsassc.exe PID 4520 wrote to memory of 2272 4520 lsassc.exe notepad.exe PID 4520 wrote to memory of 2272 4520 lsassc.exe notepad.exe PID 4520 wrote to memory of 2272 4520 lsassc.exe notepad.exe PID 4520 wrote to memory of 2272 4520 lsassc.exe notepad.exe PID 4520 wrote to memory of 2272 4520 lsassc.exe notepad.exe PID 4520 wrote to memory of 2272 4520 lsassc.exe notepad.exe PID 4520 wrote to memory of 2272 4520 lsassc.exe notepad.exe PID 4520 wrote to memory of 2272 4520 lsassc.exe notepad.exe PID 4520 wrote to memory of 2272 4520 lsassc.exe notepad.exe PID 4520 wrote to memory of 2272 4520 lsassc.exe notepad.exe PID 4520 wrote to memory of 2272 4520 lsassc.exe notepad.exe PID 4520 wrote to memory of 2272 4520 lsassc.exe notepad.exe PID 4520 wrote to memory of 2272 4520 lsassc.exe notepad.exe PID 4520 wrote to memory of 2272 4520 lsassc.exe notepad.exe PID 4520 wrote to memory of 2272 4520 lsassc.exe notepad.exe PID 4520 wrote to memory of 2272 4520 lsassc.exe notepad.exe PID 4520 wrote to memory of 2272 4520 lsassc.exe notepad.exe PID 4520 wrote to memory of 2272 4520 lsassc.exe notepad.exe PID 4520 wrote to memory of 2272 4520 lsassc.exe notepad.exe PID 4520 wrote to memory of 2272 4520 lsassc.exe notepad.exe PID 4520 wrote to memory of 2272 4520 lsassc.exe notepad.exe PID 4520 wrote to memory of 2272 4520 lsassc.exe notepad.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 4868 attrib.exe 2756 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Modifies registry class
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\1c2d1c88e9597535bc77f312f3eed94b_JaffaCakes118.exe" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\notepad.exenotepad2⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -u -p 1516 -s 1283⤵
- Program crash
-
C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\lsassc.exe"C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\lsassc.exe"2⤵
- Executes dropped EXE
- Adds Run key to start application
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\notepad.exenotepad3⤵
-
C:\Windows\SysWOW64\WerFault.exeC:\Windows\SysWOW64\WerFault.exe -pss -s 408 -p 1516 -ip 15161⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\ProgramData\Microsoft\Windows\Start Menu\MSDCSC\lsassc.exeFilesize
758KB
MD51c2d1c88e9597535bc77f312f3eed94b
SHA15313e64a644abf63c7a653ef3383d2cba4bb2470
SHA256151a6374669a557f4b91682dff916e16088173c995f4cbf239b6d8828886ec89
SHA512b435a3f06d218ce817783c5e3783e210bdc3860d7e330b4953a1b7b2a08e0c925b8937f52d6c6947c32613aceec1bc31897289a4c2bea81e2b12e563a8195ab4
-
memory/1516-3-0x00000000007E0000-0x00000000007E1000-memory.dmpFilesize
4KB
-
memory/2272-63-0x0000000000C80000-0x0000000000C81000-memory.dmpFilesize
4KB
-
memory/3004-0-0x00000000023E0000-0x00000000023E1000-memory.dmpFilesize
4KB
-
memory/3004-62-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/4520-65-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/4520-67-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/4520-69-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/4520-71-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB
-
memory/4520-75-0x0000000000400000-0x00000000004CC000-memory.dmpFilesize
816KB