Analysis
-
max time kernel
146s -
max time network
152s -
platform
windows10-2004_x64 -
resource
win10v2004-20240319-en -
resource tags
arch:x64arch:x86image:win10v2004-20240319-enlocale:en-usos:windows10-2004-x64system -
submitted
29-03-2024 15:47
Static task
static1
Behavioral task
behavioral1
Sample
25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe
Resource
win7-20240221-en
General
-
Target
25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe
-
Size
850KB
-
MD5
25fef2629b1a28be76522da59a85506f
-
SHA1
e1c6b2ac497f253cb03aa69505111532b4241a38
-
SHA256
1736d604d6c8a14948ebe5386727ca3de215e1163904eac094b39769b8faea64
-
SHA512
8656b9393d45dda010013825238b8254404b89316511b66877f78ad5b61008cb4d50e48e749cb646ada5891299b85dd7342336b4024e034865cfa07d47e08617
-
SSDEEP
12288:j6qvGvd8EgWCKXtWxWT56LbdJ0Ua0c1xHVkPyjRIBTK+jUOq6fgJg0Ges/5rBY6:hvGvd8HK9hwLbdJp6/kIo7f
Malware Config
Extracted
darkcomet
Guest16
6.tcp.ngrok.io:10371
DC_MUTEX-6TC6YTT
-
gencode
6Wpjj0ueCN6h
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Disables Task Manager via registry modification
-
Sets file to hidden 1 TTPs 1 IoCs
Modifies file attributes to stop it showing in Explorer etc.
-
Checks computer location settings 2 TTPs 1 IoCs
Looks up country code configured in the registry, likely geofence.
Processes:
25fef2629b1a28be76522da59a85506f_JaffaCakes118.exedescription ioc process Key value queried \REGISTRY\USER\S-1-5-21-817259280-2658881748-983986378-1000\Control Panel\International\Geo\Nation 25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe25fef2629b1a28be76522da59a85506f_JaffaCakes118.exedescription pid process target process PID 400 set thread context of 832 400 25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe 25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe PID 832 set thread context of 2368 832 25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe iexplore.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: EnumeratesProcesses 4 IoCs
Processes:
25fef2629b1a28be76522da59a85506f_JaffaCakes118.exepid process 400 25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe 400 25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe 400 25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe 400 25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 25 IoCs
Processes:
25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe25fef2629b1a28be76522da59a85506f_JaffaCakes118.exedescription pid process Token: SeDebugPrivilege 400 25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe Token: SeIncreaseQuotaPrivilege 832 25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe Token: SeSecurityPrivilege 832 25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 832 25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe Token: SeLoadDriverPrivilege 832 25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe Token: SeSystemProfilePrivilege 832 25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe Token: SeSystemtimePrivilege 832 25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 832 25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 832 25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 832 25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe Token: SeBackupPrivilege 832 25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe Token: SeRestorePrivilege 832 25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe Token: SeShutdownPrivilege 832 25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe Token: SeDebugPrivilege 832 25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 832 25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 832 25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 832 25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe Token: SeUndockPrivilege 832 25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe Token: SeManageVolumePrivilege 832 25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe Token: SeImpersonatePrivilege 832 25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 832 25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe Token: 33 832 25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe Token: 34 832 25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe Token: 35 832 25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe Token: 36 832 25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 27 IoCs
Processes:
25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe25fef2629b1a28be76522da59a85506f_JaffaCakes118.execmd.exeiexplore.exedescription pid process target process PID 400 wrote to memory of 832 400 25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe 25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe PID 400 wrote to memory of 832 400 25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe 25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe PID 400 wrote to memory of 832 400 25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe 25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe PID 400 wrote to memory of 832 400 25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe 25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe PID 400 wrote to memory of 832 400 25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe 25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe PID 400 wrote to memory of 832 400 25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe 25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe PID 400 wrote to memory of 832 400 25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe 25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe PID 400 wrote to memory of 832 400 25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe 25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe PID 400 wrote to memory of 832 400 25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe 25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe PID 400 wrote to memory of 832 400 25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe 25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe PID 400 wrote to memory of 832 400 25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe 25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe PID 400 wrote to memory of 832 400 25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe 25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe PID 832 wrote to memory of 1628 832 25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe cmd.exe PID 832 wrote to memory of 1628 832 25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe cmd.exe PID 832 wrote to memory of 1628 832 25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe cmd.exe PID 832 wrote to memory of 2368 832 25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe iexplore.exe PID 832 wrote to memory of 2368 832 25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe iexplore.exe PID 832 wrote to memory of 2368 832 25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe iexplore.exe PID 832 wrote to memory of 2368 832 25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe iexplore.exe PID 832 wrote to memory of 2368 832 25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe iexplore.exe PID 1628 wrote to memory of 3272 1628 cmd.exe attrib.exe PID 1628 wrote to memory of 3272 1628 cmd.exe attrib.exe PID 1628 wrote to memory of 3272 1628 cmd.exe attrib.exe PID 2368 wrote to memory of 1108 2368 iexplore.exe msedge.exe PID 2368 wrote to memory of 1108 2368 iexplore.exe msedge.exe PID 2368 wrote to memory of 4064 2368 iexplore.exe msedge.exe PID 2368 wrote to memory of 4064 2368 iexplore.exe msedge.exe -
Views/modifies file attributes 1 TTPs 1 IoCs
Processes
-
C:\Users\Admin\AppData\Local\Temp\25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe"1⤵
- Suspicious use of SetThreadContext
- Suspicious behavior: EnumeratesProcesses
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe"2⤵
- Checks computer location settings
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\25fef2629b1a28be76522da59a85506f_JaffaCakes118.exe" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=iexplore.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.04⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --single-argument http://go.microsoft.com/fwlink/?prd=11324&pver=4.5&sbp=AppLaunch2&plcid=0x409&o1=SHIM_NOVERSION_FOUND&version=(null)&processName=iexplore.exe&platform=0009&osver=7&isServer=0&shimver=4.0.30319.04⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=17 --mojo-platform-channel-handle=2092 --field-trial-handle=2288,i,10301911031503898037,2997280636231771547,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=18 --mojo-platform-channel-handle=5604 --field-trial-handle=2288,i,10301911031503898037,2997280636231771547,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=asset_store.mojom.AssetStoreService --lang=en-US --service-sandbox-type=asset_store_service --no-appcompat-clear --mojo-platform-channel-handle=4912 --field-trial-handle=2288,i,10301911031503898037,2997280636231771547,262144 --variations-seed-version /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=20 --mojo-platform-channel-handle=5556 --field-trial-handle=2288,i,10301911031503898037,2997280636231771547,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=data_decoder.mojom.DataDecoderService --lang=en-US --service-sandbox-type=service --no-appcompat-clear --mojo-platform-channel-handle=5664 --field-trial-handle=2288,i,10301911031503898037,2997280636231771547,262144 --variations-seed-version /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=22 --mojo-platform-channel-handle=5908 --field-trial-handle=2288,i,10301911031503898037,2997280636231771547,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=23 --mojo-platform-channel-handle=5932 --field-trial-handle=2288,i,10301911031503898037,2997280636231771547,262144 --variations-seed-version /prefetch:11⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=utility --utility-sub-type=edge_search_indexer.mojom.SearchIndexerInterfaceBroker --lang=en-US --service-sandbox-type=search_indexer --message-loop-type-ui --no-appcompat-clear --mojo-platform-channel-handle=5768 --field-trial-handle=2288,i,10301911031503898037,2997280636231771547,262144 --variations-seed-version /prefetch:81⤵
-
C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe"C:\Program Files (x86)\Microsoft\Edge\Application\msedge.exe" --type=renderer --no-appcompat-clear --disable-gpu-compositing --lang=en-US --js-flags=--ms-user-locale= --device-scale-factor=1 --num-raster-threads=1 --renderer-client-id=25 --mojo-platform-channel-handle=6236 --field-trial-handle=2288,i,10301911031503898037,2997280636231771547,262144 --variations-seed-version /prefetch:11⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/400-6-0x000000000AD70000-0x000000000AD7A000-memory.dmpFilesize
40KB
-
memory/400-0-0x0000000000AF0000-0x0000000000BCC000-memory.dmpFilesize
880KB
-
memory/400-2-0x00000000055C0000-0x00000000055C6000-memory.dmpFilesize
24KB
-
memory/400-3-0x0000000002E80000-0x0000000002E90000-memory.dmpFilesize
64KB
-
memory/400-4-0x000000000B190000-0x000000000B734000-memory.dmpFilesize
5.6MB
-
memory/400-5-0x000000000AE00000-0x000000000AE92000-memory.dmpFilesize
584KB
-
memory/400-1-0x0000000074CE0000-0x0000000075490000-memory.dmpFilesize
7.7MB
-
memory/400-10-0x0000000074CE0000-0x0000000075490000-memory.dmpFilesize
7.7MB
-
memory/832-11-0x0000000000400000-0x00000000004CD000-memory.dmpFilesize
820KB
-
memory/832-7-0x0000000000400000-0x00000000004CD000-memory.dmpFilesize
820KB
-
memory/832-9-0x0000000000400000-0x00000000004CD000-memory.dmpFilesize
820KB
-
memory/832-13-0x00000000013E0000-0x00000000013E1000-memory.dmpFilesize
4KB
-
memory/832-12-0x0000000000400000-0x00000000004CD000-memory.dmpFilesize
820KB
-
memory/832-15-0x0000000000400000-0x00000000004CD000-memory.dmpFilesize
820KB