Analysis
-
max time kernel
141s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20231129-en -
resource tags
arch:x64arch:x86image:win7-20231129-enlocale:en-usos:windows7-x64system -
submitted
09-04-2024 04:24
Behavioral task
behavioral1
Sample
e93745a7f1d4e51d9152958293c95ab2_JaffaCakes118.exe
Resource
win7-20231129-en
General
-
Target
e93745a7f1d4e51d9152958293c95ab2_JaffaCakes118.exe
-
Size
253KB
-
MD5
e93745a7f1d4e51d9152958293c95ab2
-
SHA1
5846d89d525786673d6f9f9e2a70d7824b37d7cd
-
SHA256
39cfdfcc391f134c17559cca1443b500e399fba2d3c4e8760132cc795555632d
-
SHA512
e39bef9cd059916eb814359ac1506928dadc8e21f2bf567ee141f2ed5cf182d35d1d07eab04d14322de50fa1092c93ffe644afb418cee374d8745f2d03aa6d36
-
SSDEEP
6144:pBJVqu5jxRl+t6Ge0qw0kw9+Ks9a8/7z6lnxc:ptqwjxRl+t6GfL7zcS
Malware Config
Extracted
darkcomet
Guest16
91.115.134.142:1604
DC_MUTEX-BRUA47Z
-
gencode
6XAbjTgAhU8X
-
install
false
-
offline_keylogger
true
-
persistence
false
Signatures
-
Modifies security service 2 TTPs 1 IoCs
Processes:
e93745a7f1d4e51d9152958293c95ab2_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" e93745a7f1d4e51d9152958293c95ab2_JaffaCakes118.exe -
Processes:
e93745a7f1d4e51d9152958293c95ab2_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e93745a7f1d4e51d9152958293c95ab2_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e93745a7f1d4e51d9152958293c95ab2_JaffaCakes118.exe -
Disables RegEdit via registry modification 1 IoCs
Processes:
e93745a7f1d4e51d9152958293c95ab2_JaffaCakes118.exedescription ioc process Set value (int) \REGISTRY\USER\S-1-5-21-3627615824-4061627003-3019543961-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" e93745a7f1d4e51d9152958293c95ab2_JaffaCakes118.exe -
Sets file to hidden 1 TTPs 2 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exepid process 3036 attrib.exe 2612 attrib.exe -
Processes:
resource yara_rule behavioral1/memory/2028-0-0x0000000000400000-0x00000000004BA000-memory.dmp upx behavioral1/memory/2028-10-0x0000000000400000-0x00000000004BA000-memory.dmp upx -
Processes:
e93745a7f1d4e51d9152958293c95ab2_JaffaCakes118.exedescription ioc process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" e93745a7f1d4e51d9152958293c95ab2_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" e93745a7f1d4e51d9152958293c95ab2_JaffaCakes118.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious behavior: GetForegroundWindowSpam 1 IoCs
Processes:
e93745a7f1d4e51d9152958293c95ab2_JaffaCakes118.exepid process 2028 e93745a7f1d4e51d9152958293c95ab2_JaffaCakes118.exe -
Suspicious use of AdjustPrivilegeToken 23 IoCs
Processes:
e93745a7f1d4e51d9152958293c95ab2_JaffaCakes118.exedescription pid process Token: SeIncreaseQuotaPrivilege 2028 e93745a7f1d4e51d9152958293c95ab2_JaffaCakes118.exe Token: SeSecurityPrivilege 2028 e93745a7f1d4e51d9152958293c95ab2_JaffaCakes118.exe Token: SeTakeOwnershipPrivilege 2028 e93745a7f1d4e51d9152958293c95ab2_JaffaCakes118.exe Token: SeLoadDriverPrivilege 2028 e93745a7f1d4e51d9152958293c95ab2_JaffaCakes118.exe Token: SeSystemProfilePrivilege 2028 e93745a7f1d4e51d9152958293c95ab2_JaffaCakes118.exe Token: SeSystemtimePrivilege 2028 e93745a7f1d4e51d9152958293c95ab2_JaffaCakes118.exe Token: SeProfSingleProcessPrivilege 2028 e93745a7f1d4e51d9152958293c95ab2_JaffaCakes118.exe Token: SeIncBasePriorityPrivilege 2028 e93745a7f1d4e51d9152958293c95ab2_JaffaCakes118.exe Token: SeCreatePagefilePrivilege 2028 e93745a7f1d4e51d9152958293c95ab2_JaffaCakes118.exe Token: SeBackupPrivilege 2028 e93745a7f1d4e51d9152958293c95ab2_JaffaCakes118.exe Token: SeRestorePrivilege 2028 e93745a7f1d4e51d9152958293c95ab2_JaffaCakes118.exe Token: SeShutdownPrivilege 2028 e93745a7f1d4e51d9152958293c95ab2_JaffaCakes118.exe Token: SeDebugPrivilege 2028 e93745a7f1d4e51d9152958293c95ab2_JaffaCakes118.exe Token: SeSystemEnvironmentPrivilege 2028 e93745a7f1d4e51d9152958293c95ab2_JaffaCakes118.exe Token: SeChangeNotifyPrivilege 2028 e93745a7f1d4e51d9152958293c95ab2_JaffaCakes118.exe Token: SeRemoteShutdownPrivilege 2028 e93745a7f1d4e51d9152958293c95ab2_JaffaCakes118.exe Token: SeUndockPrivilege 2028 e93745a7f1d4e51d9152958293c95ab2_JaffaCakes118.exe Token: SeManageVolumePrivilege 2028 e93745a7f1d4e51d9152958293c95ab2_JaffaCakes118.exe Token: SeImpersonatePrivilege 2028 e93745a7f1d4e51d9152958293c95ab2_JaffaCakes118.exe Token: SeCreateGlobalPrivilege 2028 e93745a7f1d4e51d9152958293c95ab2_JaffaCakes118.exe Token: 33 2028 e93745a7f1d4e51d9152958293c95ab2_JaffaCakes118.exe Token: 34 2028 e93745a7f1d4e51d9152958293c95ab2_JaffaCakes118.exe Token: 35 2028 e93745a7f1d4e51d9152958293c95ab2_JaffaCakes118.exe -
Suspicious use of WriteProcessMemory 25 IoCs
Processes:
e93745a7f1d4e51d9152958293c95ab2_JaffaCakes118.execmd.execmd.exedescription pid process target process PID 2028 wrote to memory of 3040 2028 e93745a7f1d4e51d9152958293c95ab2_JaffaCakes118.exe cmd.exe PID 2028 wrote to memory of 3040 2028 e93745a7f1d4e51d9152958293c95ab2_JaffaCakes118.exe cmd.exe PID 2028 wrote to memory of 3040 2028 e93745a7f1d4e51d9152958293c95ab2_JaffaCakes118.exe cmd.exe PID 2028 wrote to memory of 3040 2028 e93745a7f1d4e51d9152958293c95ab2_JaffaCakes118.exe cmd.exe PID 2028 wrote to memory of 2092 2028 e93745a7f1d4e51d9152958293c95ab2_JaffaCakes118.exe cmd.exe PID 2028 wrote to memory of 2092 2028 e93745a7f1d4e51d9152958293c95ab2_JaffaCakes118.exe cmd.exe PID 2028 wrote to memory of 2092 2028 e93745a7f1d4e51d9152958293c95ab2_JaffaCakes118.exe cmd.exe PID 2028 wrote to memory of 2092 2028 e93745a7f1d4e51d9152958293c95ab2_JaffaCakes118.exe cmd.exe PID 2028 wrote to memory of 1508 2028 e93745a7f1d4e51d9152958293c95ab2_JaffaCakes118.exe notepad.exe PID 2028 wrote to memory of 1508 2028 e93745a7f1d4e51d9152958293c95ab2_JaffaCakes118.exe notepad.exe PID 2028 wrote to memory of 1508 2028 e93745a7f1d4e51d9152958293c95ab2_JaffaCakes118.exe notepad.exe PID 2028 wrote to memory of 1508 2028 e93745a7f1d4e51d9152958293c95ab2_JaffaCakes118.exe notepad.exe PID 2028 wrote to memory of 1508 2028 e93745a7f1d4e51d9152958293c95ab2_JaffaCakes118.exe notepad.exe PID 2028 wrote to memory of 1508 2028 e93745a7f1d4e51d9152958293c95ab2_JaffaCakes118.exe notepad.exe PID 2028 wrote to memory of 1508 2028 e93745a7f1d4e51d9152958293c95ab2_JaffaCakes118.exe notepad.exe PID 3040 wrote to memory of 3036 3040 cmd.exe attrib.exe PID 3040 wrote to memory of 3036 3040 cmd.exe attrib.exe PID 3040 wrote to memory of 3036 3040 cmd.exe attrib.exe PID 3040 wrote to memory of 3036 3040 cmd.exe attrib.exe PID 2028 wrote to memory of 1508 2028 e93745a7f1d4e51d9152958293c95ab2_JaffaCakes118.exe notepad.exe PID 2092 wrote to memory of 2612 2092 cmd.exe attrib.exe PID 2092 wrote to memory of 2612 2092 cmd.exe attrib.exe PID 2092 wrote to memory of 2612 2092 cmd.exe attrib.exe PID 2092 wrote to memory of 2612 2092 cmd.exe attrib.exe PID 2028 wrote to memory of 1508 2028 e93745a7f1d4e51d9152958293c95ab2_JaffaCakes118.exe notepad.exe -
System policy modification 1 TTPs 3 IoCs
Processes:
e93745a7f1d4e51d9152958293c95ab2_JaffaCakes118.exedescription ioc process Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern e93745a7f1d4e51d9152958293c95ab2_JaffaCakes118.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion\Explorern\NoControlPanel = "1" e93745a7f1d4e51d9152958293c95ab2_JaffaCakes118.exe Key created \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows\CurrentVersion\Policies\CurrentVersion e93745a7f1d4e51d9152958293c95ab2_JaffaCakes118.exe -
Views/modifies file attributes 1 TTPs 2 IoCs
Processes:
attrib.exeattrib.exepid process 3036 attrib.exe 2612 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\e93745a7f1d4e51d9152958293c95ab2_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\e93745a7f1d4e51d9152958293c95ab2_JaffaCakes118.exe"1⤵
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Windows security modification
- Suspicious behavior: GetForegroundWindowSpam
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
- System policy modification
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\e93745a7f1d4e51d9152958293c95ab2_JaffaCakes118.exe" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\e93745a7f1d4e51d9152958293c95ab2_JaffaCakes118.exe" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h2⤵
- Suspicious use of WriteProcessMemory
-
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Sets file to hidden
- Views/modifies file attributes
-
C:\Windows\SysWOW64\notepad.exenotepad2⤵
Network
MITRE ATT&CK Matrix ATT&CK v13
Replay Monitor
Loading Replay Monitor...
Downloads
-
memory/1508-2-0x0000000000080000-0x0000000000081000-memory.dmpFilesize
4KB
-
memory/2028-0-0x0000000000400000-0x00000000004BA000-memory.dmpFilesize
744KB
-
memory/2028-1-0x0000000000270000-0x0000000000271000-memory.dmpFilesize
4KB
-
memory/2028-10-0x0000000000400000-0x00000000004BA000-memory.dmpFilesize
744KB
-
memory/2028-12-0x0000000000270000-0x0000000000271000-memory.dmpFilesize
4KB