Analysis
-
max time kernel
146s -
max time network
159s -
platform
windows10-2004_x64 -
resource
win10v2004-20240226-en -
resource tags
arch:x64arch:x86image:win10v2004-20240226-enlocale:en-usos:windows10-2004-x64system -
submitted
06-04-2024 15:23
Static task
static1
Behavioral task
behavioral1
Sample
e2d5f98dbb215361dc39bbf892aafd80_JaffaCakes118.exe
Resource
win7-20240221-en
Behavioral task
behavioral2
Sample
e2d5f98dbb215361dc39bbf892aafd80_JaffaCakes118.exe
Resource
win10v2004-20240226-en
General
-
Target
e2d5f98dbb215361dc39bbf892aafd80_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
e2d5f98dbb215361dc39bbf892aafd80
-
SHA1
0e6eaceea0820c4ccd859a5c1aa1bd7224897f2f
-
SHA256
8a84c9d58284fbe1729e7c8c0ffcc8f47ec59eac7f05faaf6e1ecf69950a08e7
-
SHA512
d2163fb08c30cae411da1073b0628b4c12f09ff0961172f7c8828e3a3ac22138a5bc71aaf2321d7cd450543b78071e606da3b63e60a74c0d00234389c889a797
-
SSDEEP
12288:ZNip5W70M8BJ2ds9q1pfWeOyGtYWDmTis+MdbKBJPA0iLKPlAHBkia4rBwb4X0kF:Ze5ysJN6WarKba1DsaG+huViB
Malware Config
Extracted
darkcomet
Guest16
127.0.0.1:1604
DC_MUTEX-X8BTGZP
-
gencode
gLKKW46aGkvG
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Executes dropped EXE 1 IoCs
Processes:
vbc.exepid process 3676 vbc.exe -
Uses the VBS compiler for execution 1 TTPs
-
Adds Run key to start application 2 TTPs 1 IoCs
Processes:
e2d5f98dbb215361dc39bbf892aafd80_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\USER\S-1-5-21-609813121-2907144057-1731107329-1000\SOFTWARE\Microsoft\Windows\CurrentVersion\Run\WinUpdtr = "C:\\Users\\Admin\\AppData\\Roaming\\WinUpdtr\\e2d5f98dbb215361dc39bbf892aafd80_JaffaCakes118.exe" e2d5f98dbb215361dc39bbf892aafd80_JaffaCakes118.exe -
Suspicious use of SetThreadContext 2 IoCs
Processes:
e2d5f98dbb215361dc39bbf892aafd80_JaffaCakes118.exevbc.exedescription pid process target process PID 4224 set thread context of 3676 4224 e2d5f98dbb215361dc39bbf892aafd80_JaffaCakes118.exe vbc.exe PID 3676 set thread context of 388 3676 vbc.exe iexplore.exe -
Suspicious use of AdjustPrivilegeToken 24 IoCs
Processes:
vbc.exedescription pid process Token: SeIncreaseQuotaPrivilege 3676 vbc.exe Token: SeSecurityPrivilege 3676 vbc.exe Token: SeTakeOwnershipPrivilege 3676 vbc.exe Token: SeLoadDriverPrivilege 3676 vbc.exe Token: SeSystemProfilePrivilege 3676 vbc.exe Token: SeSystemtimePrivilege 3676 vbc.exe Token: SeProfSingleProcessPrivilege 3676 vbc.exe Token: SeIncBasePriorityPrivilege 3676 vbc.exe Token: SeCreatePagefilePrivilege 3676 vbc.exe Token: SeBackupPrivilege 3676 vbc.exe Token: SeRestorePrivilege 3676 vbc.exe Token: SeShutdownPrivilege 3676 vbc.exe Token: SeDebugPrivilege 3676 vbc.exe Token: SeSystemEnvironmentPrivilege 3676 vbc.exe Token: SeChangeNotifyPrivilege 3676 vbc.exe Token: SeRemoteShutdownPrivilege 3676 vbc.exe Token: SeUndockPrivilege 3676 vbc.exe Token: SeManageVolumePrivilege 3676 vbc.exe Token: SeImpersonatePrivilege 3676 vbc.exe Token: SeCreateGlobalPrivilege 3676 vbc.exe Token: 33 3676 vbc.exe Token: 34 3676 vbc.exe Token: 35 3676 vbc.exe Token: 36 3676 vbc.exe -
Suspicious use of WriteProcessMemory 19 IoCs
Processes:
e2d5f98dbb215361dc39bbf892aafd80_JaffaCakes118.exevbc.exedescription pid process target process PID 4224 wrote to memory of 3676 4224 e2d5f98dbb215361dc39bbf892aafd80_JaffaCakes118.exe vbc.exe PID 4224 wrote to memory of 3676 4224 e2d5f98dbb215361dc39bbf892aafd80_JaffaCakes118.exe vbc.exe PID 4224 wrote to memory of 3676 4224 e2d5f98dbb215361dc39bbf892aafd80_JaffaCakes118.exe vbc.exe PID 4224 wrote to memory of 3676 4224 e2d5f98dbb215361dc39bbf892aafd80_JaffaCakes118.exe vbc.exe PID 4224 wrote to memory of 3676 4224 e2d5f98dbb215361dc39bbf892aafd80_JaffaCakes118.exe vbc.exe PID 4224 wrote to memory of 3676 4224 e2d5f98dbb215361dc39bbf892aafd80_JaffaCakes118.exe vbc.exe PID 4224 wrote to memory of 3676 4224 e2d5f98dbb215361dc39bbf892aafd80_JaffaCakes118.exe vbc.exe PID 4224 wrote to memory of 3676 4224 e2d5f98dbb215361dc39bbf892aafd80_JaffaCakes118.exe vbc.exe PID 4224 wrote to memory of 3676 4224 e2d5f98dbb215361dc39bbf892aafd80_JaffaCakes118.exe vbc.exe PID 4224 wrote to memory of 3676 4224 e2d5f98dbb215361dc39bbf892aafd80_JaffaCakes118.exe vbc.exe PID 4224 wrote to memory of 3676 4224 e2d5f98dbb215361dc39bbf892aafd80_JaffaCakes118.exe vbc.exe PID 4224 wrote to memory of 3676 4224 e2d5f98dbb215361dc39bbf892aafd80_JaffaCakes118.exe vbc.exe PID 4224 wrote to memory of 3676 4224 e2d5f98dbb215361dc39bbf892aafd80_JaffaCakes118.exe vbc.exe PID 4224 wrote to memory of 3676 4224 e2d5f98dbb215361dc39bbf892aafd80_JaffaCakes118.exe vbc.exe PID 3676 wrote to memory of 388 3676 vbc.exe iexplore.exe PID 3676 wrote to memory of 388 3676 vbc.exe iexplore.exe PID 3676 wrote to memory of 388 3676 vbc.exe iexplore.exe PID 3676 wrote to memory of 388 3676 vbc.exe iexplore.exe PID 3676 wrote to memory of 388 3676 vbc.exe iexplore.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e2d5f98dbb215361dc39bbf892aafd80_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e2d5f98dbb215361dc39bbf892aafd80_JaffaCakes118.exe"1⤵
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Suspicious use of WriteProcessMemory
-
C:\Users\Admin\AppData\Local\Temp\vbc.exeC:\Users\Admin\AppData\Local\Temp\vbc.exe2⤵
- Executes dropped EXE
- Suspicious use of SetThreadContext
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
C:\Users\Admin\AppData\Local\Temp\vbc.exeFilesize
1.1MB
MD5d881de17aa8f2e2c08cbb7b265f928f9
SHA108936aebc87decf0af6e8eada191062b5e65ac2a
SHA256b3a37093609f9a20ad60b85a9fa9de2ba674cba9b5bd687729440c70ba619ca0
SHA5125f23bfb1b8740247b36ed0ab741738c7d4c949736129e767213e321607d1ccd3e3a8428e4ba44bd28a275b5e3f6206285b1a522514b7ef7ea5e698d90a713d34
-
memory/388-16-0x0000000000400000-0x000000000051F000-memory.dmpFilesize
1.1MB
-
memory/3676-7-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/3676-10-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/3676-13-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/3676-15-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/3676-17-0x00000000007A0000-0x00000000007A1000-memory.dmpFilesize
4KB
-
memory/3676-18-0x0000000000400000-0x00000000004B0000-memory.dmpFilesize
704KB
-
memory/4224-0-0x0000000074A90000-0x0000000075041000-memory.dmpFilesize
5.7MB
-
memory/4224-1-0x0000000000D30000-0x0000000000D40000-memory.dmpFilesize
64KB
-
memory/4224-2-0x0000000074A90000-0x0000000075041000-memory.dmpFilesize
5.7MB
-
memory/4224-12-0x0000000074A90000-0x0000000075041000-memory.dmpFilesize
5.7MB