Analysis
-
max time kernel
118s -
max time network
119s -
platform
windows7_x64 -
resource
win7-20240221-en -
resource tags
arch:x64arch:x86image:win7-20240221-enlocale:en-usos:windows7-x64system -
submitted
21-04-2024 03:46
Static task
static1
1 signatures
Behavioral task
behavioral1
Sample
fe5abeb99b41caabc40ca3fdc4e32357_JaffaCakes118.exe
Resource
win7-20240221-en
windows7-x64
16 signatures
150 seconds
General
-
Target
fe5abeb99b41caabc40ca3fdc4e32357_JaffaCakes118.exe
-
Size
1.1MB
-
MD5
fe5abeb99b41caabc40ca3fdc4e32357
-
SHA1
31395d40d0499d83a755e558d16f46a23340b500
-
SHA256
3de1898cb9ba05922118274f4286962392e3eb63ddb7744ffe3cd3ca9970df1b
-
SHA512
b2cbdd292881a529fc4eec2423ecdb3603cf52139949557887144816d13617f08919d794af0a4a1aa097d36f48af55956ecc02ced0c175157e20918a6fc5909c
-
SSDEEP
24576:cjg6rklsxivedtl8wz8iJ2Gqxfrk0mg5jWWPPv/k:ckmklsxw2Dwg2Gg5jXv/k
Malware Config
Extracted
Family
darkcomet
Botnet
Fucked
C2
hidesn.no-ip.org:1604
Mutex
DC_MUTEX-ZEGD8UE
Attributes
-
InstallPath
System32C/winlogon.exe
-
gencode
QKzVM5n527Ug
-
install
true
-
offline_keylogger
true
-
persistence
true
-
reg_key
winlogon
Signatures
-
Modifies WinLogon for persistence 2 TTPs 2 IoCs
Processes:
1.exe2.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\QKzVM5n527Ug\\System32C/winlogon.exe,C:\\Windows\\u0wmjTPJ09qd\\System32C/winlogon.exe" 1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Microsoft\Windows NT\CurrentVersion\Winlogon\UserInit = "C:\\Windows\\system32\\userinit.exe,C:\\Windows\\QKzVM5n527Ug\\System32C/winlogon.exe" 2.exe -
Modifies firewall policy service 2 TTPs 9 IoCs
Processes:
2.exe1.exeiexplore.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" 2.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 1.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" 1.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" iexplore.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\DisableNotifications = "0" iexplore.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile 2.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile 1.exe Key created \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile iexplore.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\SharedAccess\Parameters\FirewallPolicy\StandardProfile\EnableFirewall = "0" 2.exe -
Modifies security service 2 TTPs 3 IoCs
Processes:
2.exe1.exeiexplore.exedescription ioc Process Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" 2.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" 1.exe Set value (int) \REGISTRY\MACHINE\SYSTEM\ControlSet001\services\wscsvc\Start = "4" iexplore.exe -
Processes:
2.exe1.exeiexplore.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" iexplore.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 2.exe -
Disables RegEdit via registry modification 3 IoCs
Processes:
2.exe1.exeiexplore.exedescription ioc Process Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 2.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" 1.exe Set value (int) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Policies\System\DisableRegistryTools = "1" iexplore.exe -
Sets file to hidden 1 TTPs 4 IoCs
Modifies file attributes to stop it showing in Explorer etc.
Processes:
attrib.exeattrib.exeattrib.exeattrib.exepid Process 3016 attrib.exe 2572 attrib.exe 2452 attrib.exe 2812 attrib.exe -
Executes dropped EXE 2 IoCs
Processes:
1.exe2.exepid Process 2328 1.exe 1804 2.exe -
Processes:
2.exe1.exedescription ioc Process Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 2.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\AntiVirusDisableNotify = "1" 1.exe Set value (str) \REGISTRY\MACHINE\SOFTWARE\Wow6432Node\Microsoft\Security Center\UpdatesDisableNotify = "1" 1.exe -
Adds Run key to start application 2 TTPs 2 IoCs
Processes:
2.exe1.exedescription ioc Process Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Windows\\QKzVM5n527Ug\\System32C/winlogon.exe" 2.exe Set value (str) \REGISTRY\USER\S-1-5-21-1298544033-3225604241-2703760938-1000\Software\Microsoft\Windows\CurrentVersion\Run\winlogon = "C:\\Windows\\u0wmjTPJ09qd\\System32C/winlogon.exe" 1.exe -
Suspicious use of SetThreadContext 1 IoCs
Processes:
2.exedescription pid Process procid_target PID 1804 set thread context of 2856 1804 2.exe 34 -
Drops file in Windows directory 8 IoCs
Processes:
2.exe1.exedescription ioc Process File opened for modification C:\Windows\QKzVM5n527Ug\ 2.exe File created C:\Windows\System32C\winlogon.exe 1.exe File created C:\Windows\u0wmjTPJ09qd\System32C\winlogon.exe 1.exe File opened for modification C:\Windows\u0wmjTPJ09qd\System32C\winlogon.exe 1.exe File opened for modification C:\Windows\u0wmjTPJ09qd\ 1.exe File created C:\Windows\System32C\winlogon.exe 2.exe File created C:\Windows\QKzVM5n527Ug\System32C\winlogon.exe 2.exe File opened for modification C:\Windows\QKzVM5n527Ug\System32C\winlogon.exe 2.exe -
Enumerates physical storage devices 1 TTPs
Attempts to interact with connected storage/optical drive(s).
-
Suspicious use of AdjustPrivilegeToken 64 IoCs
Processes:
1.exe2.exeiexplore.exedescription pid Process Token: SeIncreaseQuotaPrivilege 2328 1.exe Token: SeIncreaseQuotaPrivilege 1804 2.exe Token: SeSecurityPrivilege 1804 2.exe Token: SeTakeOwnershipPrivilege 1804 2.exe Token: SeLoadDriverPrivilege 1804 2.exe Token: SeSystemProfilePrivilege 1804 2.exe Token: SeSystemtimePrivilege 1804 2.exe Token: SeProfSingleProcessPrivilege 1804 2.exe Token: SeIncBasePriorityPrivilege 1804 2.exe Token: SeCreatePagefilePrivilege 1804 2.exe Token: SeBackupPrivilege 1804 2.exe Token: SeRestorePrivilege 1804 2.exe Token: SeShutdownPrivilege 1804 2.exe Token: SeDebugPrivilege 1804 2.exe Token: SeSecurityPrivilege 2328 1.exe Token: SeSystemEnvironmentPrivilege 1804 2.exe Token: SeChangeNotifyPrivilege 1804 2.exe Token: SeRemoteShutdownPrivilege 1804 2.exe Token: SeUndockPrivilege 1804 2.exe Token: SeManageVolumePrivilege 1804 2.exe Token: SeImpersonatePrivilege 1804 2.exe Token: SeCreateGlobalPrivilege 1804 2.exe Token: 33 1804 2.exe Token: 34 1804 2.exe Token: SeTakeOwnershipPrivilege 2328 1.exe Token: SeLoadDriverPrivilege 2328 1.exe Token: SeSystemProfilePrivilege 2328 1.exe Token: SeSystemtimePrivilege 2328 1.exe Token: SeProfSingleProcessPrivilege 2328 1.exe Token: SeIncBasePriorityPrivilege 2328 1.exe Token: 35 1804 2.exe Token: SeCreatePagefilePrivilege 2328 1.exe Token: SeBackupPrivilege 2328 1.exe Token: SeRestorePrivilege 2328 1.exe Token: SeShutdownPrivilege 2328 1.exe Token: SeDebugPrivilege 2328 1.exe Token: SeSystemEnvironmentPrivilege 2328 1.exe Token: SeChangeNotifyPrivilege 2328 1.exe Token: SeRemoteShutdownPrivilege 2328 1.exe Token: SeUndockPrivilege 2328 1.exe Token: SeManageVolumePrivilege 2328 1.exe Token: SeImpersonatePrivilege 2328 1.exe Token: SeCreateGlobalPrivilege 2328 1.exe Token: 33 2328 1.exe Token: 34 2328 1.exe Token: 35 2328 1.exe Token: SeIncreaseQuotaPrivilege 2856 iexplore.exe Token: SeSecurityPrivilege 2856 iexplore.exe Token: SeTakeOwnershipPrivilege 2856 iexplore.exe Token: SeLoadDriverPrivilege 2856 iexplore.exe Token: SeSystemProfilePrivilege 2856 iexplore.exe Token: SeSystemtimePrivilege 2856 iexplore.exe Token: SeProfSingleProcessPrivilege 2856 iexplore.exe Token: SeIncBasePriorityPrivilege 2856 iexplore.exe Token: SeCreatePagefilePrivilege 2856 iexplore.exe Token: SeBackupPrivilege 2856 iexplore.exe Token: SeRestorePrivilege 2856 iexplore.exe Token: SeShutdownPrivilege 2856 iexplore.exe Token: SeDebugPrivilege 2856 iexplore.exe Token: SeSystemEnvironmentPrivilege 2856 iexplore.exe Token: SeChangeNotifyPrivilege 2856 iexplore.exe Token: SeRemoteShutdownPrivilege 2856 iexplore.exe Token: SeUndockPrivilege 2856 iexplore.exe Token: SeManageVolumePrivilege 2856 iexplore.exe -
Suspicious use of WriteProcessMemory 46 IoCs
Processes:
fe5abeb99b41caabc40ca3fdc4e32357_JaffaCakes118.exe2.exe1.execmd.execmd.execmd.execmd.exedescription pid Process procid_target PID 2512 wrote to memory of 2328 2512 fe5abeb99b41caabc40ca3fdc4e32357_JaffaCakes118.exe 29 PID 2512 wrote to memory of 2328 2512 fe5abeb99b41caabc40ca3fdc4e32357_JaffaCakes118.exe 29 PID 2512 wrote to memory of 2328 2512 fe5abeb99b41caabc40ca3fdc4e32357_JaffaCakes118.exe 29 PID 2512 wrote to memory of 2328 2512 fe5abeb99b41caabc40ca3fdc4e32357_JaffaCakes118.exe 29 PID 2512 wrote to memory of 1804 2512 fe5abeb99b41caabc40ca3fdc4e32357_JaffaCakes118.exe 30 PID 2512 wrote to memory of 1804 2512 fe5abeb99b41caabc40ca3fdc4e32357_JaffaCakes118.exe 30 PID 2512 wrote to memory of 1804 2512 fe5abeb99b41caabc40ca3fdc4e32357_JaffaCakes118.exe 30 PID 2512 wrote to memory of 1804 2512 fe5abeb99b41caabc40ca3fdc4e32357_JaffaCakes118.exe 30 PID 1804 wrote to memory of 2628 1804 2.exe 31 PID 1804 wrote to memory of 2628 1804 2.exe 31 PID 1804 wrote to memory of 2628 1804 2.exe 31 PID 1804 wrote to memory of 2628 1804 2.exe 31 PID 1804 wrote to memory of 2640 1804 2.exe 32 PID 1804 wrote to memory of 2640 1804 2.exe 32 PID 1804 wrote to memory of 2640 1804 2.exe 32 PID 1804 wrote to memory of 2640 1804 2.exe 32 PID 2328 wrote to memory of 2656 2328 1.exe 33 PID 2328 wrote to memory of 2656 2328 1.exe 33 PID 2328 wrote to memory of 2656 2328 1.exe 33 PID 2328 wrote to memory of 2656 2328 1.exe 33 PID 1804 wrote to memory of 2856 1804 2.exe 34 PID 1804 wrote to memory of 2856 1804 2.exe 34 PID 1804 wrote to memory of 2856 1804 2.exe 34 PID 1804 wrote to memory of 2856 1804 2.exe 34 PID 1804 wrote to memory of 2856 1804 2.exe 34 PID 1804 wrote to memory of 2856 1804 2.exe 34 PID 2328 wrote to memory of 2588 2328 1.exe 35 PID 2328 wrote to memory of 2588 2328 1.exe 35 PID 2328 wrote to memory of 2588 2328 1.exe 35 PID 2328 wrote to memory of 2588 2328 1.exe 35 PID 2640 wrote to memory of 2812 2640 cmd.exe 40 PID 2640 wrote to memory of 2812 2640 cmd.exe 40 PID 2640 wrote to memory of 2812 2640 cmd.exe 40 PID 2640 wrote to memory of 2812 2640 cmd.exe 40 PID 2656 wrote to memory of 2452 2656 cmd.exe 41 PID 2656 wrote to memory of 2452 2656 cmd.exe 41 PID 2656 wrote to memory of 2452 2656 cmd.exe 41 PID 2656 wrote to memory of 2452 2656 cmd.exe 41 PID 2588 wrote to memory of 3016 2588 cmd.exe 42 PID 2588 wrote to memory of 3016 2588 cmd.exe 42 PID 2588 wrote to memory of 3016 2588 cmd.exe 42 PID 2588 wrote to memory of 3016 2588 cmd.exe 42 PID 2628 wrote to memory of 2572 2628 cmd.exe 43 PID 2628 wrote to memory of 2572 2628 cmd.exe 43 PID 2628 wrote to memory of 2572 2628 cmd.exe 43 PID 2628 wrote to memory of 2572 2628 cmd.exe 43 -
Views/modifies file attributes 1 TTPs 4 IoCs
Processes:
attrib.exeattrib.exeattrib.exeattrib.exepid Process 3016 attrib.exe 2572 attrib.exe 2452 attrib.exe 2812 attrib.exe
Processes
-
C:\Users\Admin\AppData\Local\Temp\fe5abeb99b41caabc40ca3fdc4e32357_JaffaCakes118.exe"C:\Users\Admin\AppData\Local\Temp\fe5abeb99b41caabc40ca3fdc4e32357_JaffaCakes118.exe"1⤵
- Suspicious use of WriteProcessMemory
PID:2512 -
C:\Users\Admin\AppData\Local\Temp\1.exe"C:\Users\Admin\AppData\Local\Temp\1.exe"2⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:2328 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\1.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
PID:2656 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\1.exe" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2452
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Suspicious use of WriteProcessMemory
PID:2588 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:3016
-
-
-
-
C:\Users\Admin\AppData\Local\Temp\2.exe"C:\Users\Admin\AppData\Local\Temp\2.exe"2⤵
- Modifies WinLogon for persistence
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Executes dropped EXE
- Windows security modification
- Adds Run key to start application
- Suspicious use of SetThreadContext
- Drops file in Windows directory
- Suspicious use of AdjustPrivilegeToken
- Suspicious use of WriteProcessMemory
PID:1804 -
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp\2.exe" +s +h3⤵
- Suspicious use of WriteProcessMemory
PID:2628 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp\2.exe" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2572
-
-
-
C:\Windows\SysWOW64\cmd.exe"C:\Windows\System32\cmd.exe" /k attrib "C:\Users\Admin\AppData\Local\Temp" +s +h3⤵
- Suspicious use of WriteProcessMemory
PID:2640 -
C:\Windows\SysWOW64\attrib.exeattrib "C:\Users\Admin\AppData\Local\Temp" +s +h4⤵
- Sets file to hidden
- Views/modifies file attributes
PID:2812
-
-
-
C:\Program Files (x86)\Internet Explorer\iexplore.exe"C:\Program Files (x86)\Internet Explorer\iexplore.exe"3⤵
- Modifies firewall policy service
- Modifies security service
- Windows security bypass
- Disables RegEdit via registry modification
- Suspicious use of AdjustPrivilegeToken
PID:2856
-
-
Network
MITRE ATT&CK Enterprise v15
Persistence
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Privilege Escalation
Boot or Logon Autostart Execution
2Registry Run Keys / Startup Folder
1Winlogon Helper DLL
1Create or Modify System Process
2Windows Service
2Replay Monitor
Loading Replay Monitor...
Downloads
-
Filesize
756KB
MD5813f1a78f96928559c28ca0e9e893364
SHA1b2a6db617a08f972c5fad15db2dec11f9ec473f7
SHA256d8d4c8d87b35eed612c023f596483a2abd342280971a4eef995488e824a0e452
SHA5121458119161d04f366866d98c8f00edcf985dfad29e20f0b2dea1ea8459c9e77dffddb844cc7d8294ae57b4fc34975347d3f6874e22ed2ed4769bfe08b8a641ac
-
Filesize
756KB
MD5a3b4f11a867a36b24b1a00d32025b230
SHA1bef76a2a11954d86030cd7b7bcb23648a61f0f12
SHA256015cbf610dd013789e40a9dc415fd422df6038ba733a7f43f076afc410779123
SHA51205f505584db73cf36ec99db073f288c8fdbe95895b6f64ab533985b48f4657cb821e380fcdce27b6ee4ce1ccbaffc8c1298dc52a1dfcdab3f2d0c7c0646f9a9a