Analysis
-
max time kernel
150s -
max time network
149s -
platform
windows10-2004_x64 -
resource
win10v2004-20240611-en -
resource tags
arch:x64arch:x86image:win10v2004-20240611-enlocale:en-usos:windows10-2004-x64system -
submitted
04-07-2024 04:37
Behavioral task
behavioral1
Sample
24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe
Resource
win7-20240611-en
Behavioral task
behavioral2
Sample
24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe
Resource
win10v2004-20240611-en
General
-
Target
24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe
-
Size
651KB
-
MD5
24a695bd98fe12ff40dfea58fa37a87e
-
SHA1
a6f2d32c7e0dca5cf6f116e4805b093e3c672256
-
SHA256
7044ddd8b6a0a4dd7edd7989da538ed017522e3665ce3d0eaef606123a922f50
-
SHA512
0318fae3986389a91edfb4ae11509178993f4d3f0a588a9c369be1432a091c6c8d5abf697353dedf79d2c2dd4be08f20751c1fe5b6a56dcfa100e9e0d552ed23
-
SSDEEP
12288:Lk0QVlhmPojAPTMEsUTg0oChO/Q2JbsbjPbN5qhRTtYe3f+Iw86k/9/+y:g0QRWoJEfg0oChGdJQbjPbNW5tYeP+GX
Malware Config
Extracted
darkcomet
Guest16
mnanauk-dz.no-ip.biz:1604
DC_MUTEX-EB46CLG
-
InstallPath
MSDCSC\msdcsc.exe
-
gencode
rpfQbN9b66NT
-
install
true
-
offline_keylogger
true
-
persistence
false
-
reg_key
MicroUpdate
Signatures
-
Modifies WinLogon for persistence 2 TTPs 1 IoCs
Processes:
24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\MSDCSC\\msdcsc.exe" 24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe -
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\Control Panel\International\Geo\Nation 24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe -
Executes dropped EXE 1 IoCs
Processes:
msdcsc.exepid process 3428 msdcsc.exe -
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-3665033694-1447845302-680750983-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\MicroUpdate = "C:\\Windows\\MSDCSC\\msdcsc.exe" 24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe -
Drops file in Windows directory 3 IoCs
Processes:
24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exedescription ioc process File created C:\Windows\MSDCSC\msdcsc.exe 24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe File opened for modification C:\Windows\MSDCSC\msdcsc.exe 24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe File opened for modification C:\Windows\MSDCSC\ 24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 48 IoCs
Processes:
24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exemsdcsc.exedescription pid process Token: SeIncreaseQuotaPrivilege 2180 24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe Token: SeSecurityPrivilege 2180 24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 2180 24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe Token: SeLoadDriverPrivilege 2180 24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe Token: SeSystemProfilePrivilege 2180 24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe Token: SeSystemtimePrivilege 2180 24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 2180 24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2180 24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 2180 24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe Token: SeBackupPrivilege 2180 24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe Token: SeRestorePrivilege 2180 24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe Token: SeShutdownPrivilege 2180 24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe Token: SeDebugPrivilege 2180 24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 2180 24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 2180 24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 2180 24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe Token: SeUndockPrivilege 2180 24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe Token: SeManageVolumePrivilege 2180 24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe Token: SeImpersonatePrivilege 2180 24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 2180 24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe Token: 33 2180 24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe Token: 34 2180 24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe Token: 35 2180 24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe Token: 36 2180 24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 3428 msdcsc.exe Token: SeSecurityPrivilege 3428 msdcsc.exe Token: SeTakeOwnershipPrivilege 3428 msdcsc.exe Token: SeLoadDriverPrivilege 3428 msdcsc.exe Token: SeSystemProfilePrivilege 3428 msdcsc.exe Token: SeSystemtimePrivilege 3428 msdcsc.exe Token: SeProfSingleProcessPrivilege 3428 msdcsc.exe Token: SeIncBasePriorityPrivilege 3428 msdcsc.exe Token: SeCreatePagefilePrivilege 3428 msdcsc.exe Token: SeBackupPrivilege 3428 msdcsc.exe Token: SeRestorePrivilege 3428 msdcsc.exe Token: SeShutdownPrivilege 3428 msdcsc.exe Token: SeDebugPrivilege 3428 msdcsc.exe Token: SeSystemEnvironmentPrivilege 3428 msdcsc.exe Token: SeChangeNotifyPrivilege 3428 msdcsc.exe Token: SeRemoteShutdownPrivilege 3428 msdcsc.exe Token: SeUndockPrivilege 3428 msdcsc.exe Token: SeManageVolumePrivilege 3428 msdcsc.exe Token: SeImpersonatePrivilege 3428 msdcsc.exe Token: SeCreateGlobalPrivilege 3428 msdcsc.exe Token: 33 3428 msdcsc.exe Token: 34 3428 msdcsc.exe Token: 35 3428 msdcsc.exe Token: 36 3428 msdcsc.exe -
Suspicious use of SetWindowsHookEx 1 IoCs
Processes:
msdcsc.exepid process 3428 msdcsc.exe -
Suspicious use of WriteProcessMemory 8 IoCs
Processes:
24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exemsdcsc.exedescription pid process target process PID 2180 wrote to memory of 3428 2180 24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe msdcsc.exe PID 2180 wrote to memory of 3428 2180 24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe msdcsc.exe PID 2180 wrote to memory of 3428 2180 24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe msdcsc.exe PID 3428 wrote to memory of 2268 3428 msdcsc.exe iexplore.exe PID 3428 wrote to memory of 2268 3428 msdcsc.exe iexplore.exe PID 3428 wrote to memory of 2268 3428 msdcsc.exe iexplore.exe PID 3428 wrote to memory of 1484 3428 msdcsc.exe explorer.exe PID 3428 wrote to memory of 1484 3428 msdcsc.exe explorer.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\24a695bd98fe12ff40dfea58fa37a87e_JaffaCakes118.exe"1⤵
- Modifies WinLogon for persistence
- Checks computer location settings
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\MSDCSC\msdcsc.exe"C:\Windows\MSDCSC\msdcsc.exe"2⤵
- Executes dropped EXE
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of SetWindowsHookEx
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
-
C:\Windows\explorer.exe"C:\Windows\explorer.exe"3⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --field-trial-handle=2736,i,11069752405888604640,8928124405695604965,262144 --variations-seed-version --mojo-platform-channel-handle=3104 /prefetch:81⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Windows\MSDCSC\msdcsc.exeFilesize
651KB
MD524a695bd98fe12ff40dfea58fa37a87e
SHA1a6f2d32c7e0dca5cf6f116e4805b093e3c672256
SHA2567044ddd8b6a0a4dd7edd7989da538ed017522e3665ce3d0eaef606123a922f50
SHA5120318fae3986389a91edfb4ae11509178993f4d3f0a588a9c369be1432a091c6c8d5abf697353dedf79d2c2dd4be08f20751c1fe5b6a56dcfa100e9e0d552ed23
-
memory/2180-0-0x0000000002260000-0x0000000002261000-memory.dmpFilesize
4KB
-
memory/2180-13-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/3428-19-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/3428-21-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/3428-16-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/3428-17-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/3428-18-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/3428-14-0x00000000022D0000-0x00000000022D1000-memory.dmpFilesize
4KB
-
memory/3428-20-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/3428-15-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/3428-22-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/3428-23-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/3428-24-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/3428-25-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/3428-26-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/3428-27-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/3428-28-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB