Analysis
-
max time kernel
150s -
max time network
120s -
platform
windows7_x64 -
resource
win7-20240611-en -
resource tags
arch:x64arch:x86image:win7-20240611-enlocale:en-usos:windows7-x64system -
submitted
04-07-2024 04:37
Behavioral task
behavioral1
Sample
24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe
-
Size
651KB
-
MD5
24a695bd98fe12ff40dfea58fa37a87e
-
SHA1
a6f2d32c7e0dca5cf6f116e4805b093e3c672256
-
SHA256
7044ddd8b6a0a4dd7edd7989da538ed017522e3665ce3d0eaef606123a922f50
-
SHA512
0318fae3986389a91edfb4ae11509178993f4d3f0a588a9c369be1432a091c6c8d5abf697353dedf79d2c2dd4be08f20751c1fe5b6a56dcfa100e9e0d552ed23
-
SSDEEP
12288:Lk0QVlhmPojAPTMEsUTg0oChO/Q2JbsbjPbN5qhRTtYe3f+Iw86k/9/+y:g0QRWoJEfg0oChGdJQbjPbNW5tYeP+GX
Malware Config
Extracted
darkcomet
Guest16
mnanauk-dz.no-ip.biz:1604
DC_MUTEX-EB46CLG
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
rpfQbN9b66NT
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\MSDCSC\\msdcsc.exe" 24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 2660 msdcsc.exe -
Loads dropped DLL 1 IoCs
Processes:
24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exepid process 2652 24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-2812790648-3157963462-487717889-1000\Software\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\MSDCSC\\msdcsc.exe" 24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
msdcsc.exedescription pid process target process PID 2660 set thread context of 2708 2660 msdcsc.exe iexplore.exe -
Drops file in Windows directory 3 IoCs
Processes:
24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exedescription ioc process File created C:\Windows\MSDCSC\msdcsc.exe 24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe File opened for modification C:\Windows\MSDCSC\msdcsc.exe 24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe File opened for modification C:\Windows\MSDCSC\ 24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exemsdcsc.exeiexplore.exedescription pid process Token: SeIncreaseQuotaPrivilege 2652 24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe Token: SeSecurityPrivilege 2652 24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 2652 24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe Token: SeLoadDriverPrivilege 2652 24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe Token: SeSystemProfilePrivilege 2652 24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe Token: SeSystemtimePrivilege 2652 24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 2652 24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2652 24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 2652 24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe Token: SeBackupPrivilege 2652 24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe Token: SeRestorePrivilege 2652 24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe Token: SeShutdownPrivilege 2652 24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe Token: SeDebugPrivilege 2652 24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 2652 24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 2652 24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 2652 24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe Token: SeUndockPrivilege 2652 24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe Token: SeManageVolumePrivilege 2652 24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe Token: SeImpersonatePrivilege 2652 24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 2652 24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe Token: 33 2652 24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe Token: 34 2652 24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe Token: 35 2652 24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 2660 msdcsc.exe Token: SeSecurityPrivilege 2660 msdcsc.exe Token: SeTakeOwnershipPrivilege 2660 msdcsc.exe Token: SeLoadDriverPrivilege 2660 msdcsc.exe Token: SeSystemProfilePrivilege 2660 msdcsc.exe Token: SeSystemtimePrivilege 2660 msdcsc.exe Token: SeProfSingleProcessPrivilege 2660 msdcsc.exe Token: SeIncBasePriorityPrivilege 2660 msdcsc.exe Token: SeCreatePagefilePrivilege 2660 msdcsc.exe Token: SeBackupPrivilege 2660 msdcsc.exe Token: SeRestorePrivilege 2660 msdcsc.exe Token: SeShutdownPrivilege 2660 msdcsc.exe Token: SeDebugPrivilege 2660 msdcsc.exe Token: SeSystemEnvironmentPrivilege 2660 msdcsc.exe Token: SeChangeNotifyPrivilege 2660 msdcsc.exe Token: SeRemoteShutdownPrivilege 2660 msdcsc.exe Token: SeUndockPrivilege 2660 msdcsc.exe Token: SeManageVolumePrivilege 2660 msdcsc.exe Token: SeImpersonatePrivilege 2660 msdcsc.exe Token: SeCreateGlobalPrivilege 2660 msdcsc.exe Token: 33 2660 msdcsc.exe Token: 34 2660 msdcsc.exe Token: 35 2660 msdcsc.exe Token: SeIncreaseQuotaPrivilege 2708 iexplore.exe Token: SeSecurityPrivilege 2708 iexplore.exe Token: SeTakeOwnershipPrivilege 2708 iexplore.exe Token: SeLoadDriverPrivilege 2708 iexplore.exe Token: SeSystemProfilePrivilege 2708 iexplore.exe Token: SeSystemtimePrivilege 2708 iexplore.exe Token: SeProfSingleProcessPrivilege 2708 iexplore.exe Token: SeIncBasePriorityPrivilege 2708 iexplore.exe Token: SeCreatePagefilePrivilege 2708 iexplore.exe Token: SeBackupPrivilege 2708 iexplore.exe Token: SeRestorePrivilege 2708 iexplore.exe Token: SeShutdownPrivilege 2708 iexplore.exe Token: SeDebugPrivilege 2708 iexplore.exe Token: SeSystemEnvironmentPrivilege 2708 iexplore.exe Token: SeChangeNotifyPrivilege 2708 iexplore.exe Token: SeRemoteShutdownPrivilege 2708 iexplore.exe Token: SeUndockPrivilege 2708 iexplore.exe Token: SeManageVolumePrivilege 2708 iexplore.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
iexplore.exepid process 2708 iexplore.exe -
Suspicious use of WriteProcessMemory 10 IoCs
Processes:
24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exemsdcsc.exedescription pid process target process PID 2652 wrote to memory of 2660 2652 24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe msdcsc.exe PID 2652 wrote to memory of 2660 2652 24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe msdcsc.exe PID 2652 wrote to memory of 2660 2652 24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe msdcsc.exe PID 2652 wrote to memory of 2660 2652 24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe msdcsc.exe PID 2660 wrote to memory of 2708 2660 msdcsc.exe iexplore.exe PID 2660 wrote to memory of 2708 2660 msdcsc.exe iexplore.exe PID 2660 wrote to memory of 2708 2660 msdcsc.exe iexplore.exe PID 2660 wrote to memory of 2708 2660 msdcsc.exe iexplore.exe PID 2660 wrote to memory of 2708 2660 msdcsc.exe iexplore.exe PID 2660 wrote to memory of 2708 2660 msdcsc.exe iexplore.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Loads dropped DLL
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\MSDCSC\msdcsc.exe"C:\Windows\MSDCSC\msdcsc.exe"2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
\Windows\MSDCSC\msdcsc.exeFilesize
651KB
MD524a695bd98fe12ff40dfea58fa37a87e
SHA1a6f2d32c7e0dca5cf6f116e4805b093e3c672256
SHA2567044ddd8b6a0a4dd7edd7989da538ed017522e3665ce3d0eaef606123a922f50
SHA5120318fae3986389a91edfb4ae11509178993f4d3f0a588a9c369be1432a091c6c8d5abf697353dedf79d2c2dd4be08f20751c1fe5b6a56dcfa100e9e0d552ed23
-
memory/2652-0-0x0000000000280000-0x0000000000281000-memory.dmpFilesize
4KB
-
memory/2652-8-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/2660-9-0x0000000000660000-0x0000000000661000-memory.dmpFilesize
4KB
-
memory/2660-12-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/2708-11-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB